Re: Kurt Seifred's article on securityportal

Tue, 19 Dec 2000 08:53:30 -0800 

reading the aritcle he is pointing out that many people (especially for
SSH) do not have a way to verify the signature on the server cert so if
you are a bit careless and don't check the cert you connect to is valid
then someone can present you with a fake cert and (as you didn't bother to
check it) you will accept it and are therefor vunerable.

nothing new, just a repeat of the statement that if you don't verify the
cert it doesn't really do you any good.

David Lang


 On Tue, 19 Dec 2000, Greg Stark wrote:

> Date: Tue, 19 Dec 2000 11:40:11 -0500
> From: Greg Stark <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Kurt Seifred's article on securityportal
>
> Kurt Seifried has written an article (www.securityportal.com) in which
>  he claims there are man-in-the-middle attacks against SSL. I think
> his article is wrong, but he has conveniently left off enough technical
> details of his attack so that he can always say he meant something else.
>
> The problem is that it is getting a surprising amount of play. I put in my
> two cents on Slashdot yesterday, but today I saw some posts on
> the IPSec mailing list referencing the Seifried article.
>
> I guess I am most curious about just what his man-in-the-middle
> attack is? My guess is that he is claiming his MITM can replace the
> legitimate server certificate with one of his own choosing. I suspect
> Seifried doesn't understand the CN check which is performed by
> SSL clients and outlined section 3 of
> http://www.rfc-editor.org/rfc/rfc2818.txt.
> If anybody can figure out what he is really claiming, please e-mail the
> list.
>
> Thanks,
>
> Greg Stark, [EMAIL PROTECTED]
> Chief Security Architect
> Ethentica, Inc.
> www.ethentica.com
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to