tim-security at sentinelchicken.org wrote: >> (assuming the admin doesn't notice the cert changes and all that good >> stuff.)
> There's your problem. If you assume this, you will always be vulnerable > to MitM if the software you're using allows you to communicate anyway. > If you're SSH client lets you connect to systems whose keys have > changed, same problem. If your VPN client allows it, same problem. > This is why I wanted you to think about what you are trusting in the > first place. You are trusting your CA and the certificate chain. If > you can't do that, then you have no trust. How trustworthy are the CA certificates included in the average browser? There are a couple of dozen CA certificates shipped with my browser. Some of the vendors associated with these CA certificates offer to give me a certificate for my web site in 10 minutes or less for a couple of hundred dollars. This sounds like a really ripe opportunity for social engineering to me. - Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
