However, read up on dsniff at http://www.monkey.org/~dugsong/dsniff/. It is possible to do a MITM attack, if the client is willing to ignore security warnings and blindly click through error messages about the certificate not matching.
-----Original Message----- From: Rich Salz [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 09, 2002 5:15 PM To: Stefan Hans Cc: SSL-Alias Subject: Re: Security Scenario (understanding problem) > If the client asks the server for a secure connection, the server starts its > handshake by sending a suggestion of a private-private-key encryption > (encrypted with its private-key). > > Right so far? No. Totally wrong. Suggest you read more about the protocol details. A key (sic) point is that the client helps generate the session key, encrypted in the server's public key. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This email message is for the sole use of the intended recipients and may contain privileged and confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although this email and any attachments are believed to be free of any virus or other defect, which might affect any system into which it is received or opened, it is the responsibility of the recipient to ensure that it is free from virus. Precision Computer Systems accepts no responsibility for any loss or damage arising in any way from its use. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
