Hey Greg,
I may be wrong because I haven't "practice" this kind of question for a
while now and I am too lazy to check if what I am saying is wrong! ;-) [Bad
guy.....]
The MITM attack is an attack that takes place at connection time. The
cracker is smart enough to insert his system between the user and the
trusted web server. At negociation time, the MITM try to fake to the trusted
web server that he is the user and to the user that he is the trusted web
server.
As far as I know, the lastest SSL protocol is MITM-aware. That means that
the protocol has mechanisms to avoid this issue.
Before this last versionn, if I remember correctly (and I MAY be wrong!),
the MITM attack could have worked if the user didn't not own a
certificate..... Basically, if you connect to a SSL server like 99% of the
people on the Internet, yes the MITM can occur. But if you want to use a
really secure system, then you give a certificate to your users so that your
SSL connection is really secure.
I would think (I haven't checked!) that most of the browser support (by
default) old versions of SSL. That means that the MITM can tell to the user
"sorry, I only work with this (potentially unsecure) version of SSL, can we
use it?". And then use whatever is needed to connect to the trusted web
server. That's the same thing with Microsoft and the "encrypted network
passwords over pptp" where you could tell to the server "I don't support
encrypted password, let's move to clear text password communication".
I hope that helps!
Loic.
______________
Loïc Fabro
/--------------------------------------------------\
Consultant, Advanced Services Group | Simple to Use - Simple to Deploy -
Simple to Get |
MicroStrategy | MicroStrategy 7 Business
Intelligence Software |
The Power of Intelligent E-Business | Get your Free evaluation copy
today! |
|
www.microstrategy.com/eval |
8000 Towers Crescent Drive
\--------------------------------------------------/
Suite 1400
Vienna, VA 22182
http://www.microstrategy.com/
-----Original Message-----
From: Greg Stark [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 19, 2000 11:40 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Kurt Seifred's article on securityportal
Kurt Seifried has written an article (www.securityportal.com) in which
he claims there are man-in-the-middle attacks against SSL. I think
his article is wrong, but he has conveniently left off enough technical
details of his attack so that he can always say he meant something else.
The problem is that it is getting a surprising amount of play. I put in my
two cents on Slashdot yesterday, but today I saw some posts on
the IPSec mailing list referencing the Seifried article.
I guess I am most curious about just what his man-in-the-middle
attack is? My guess is that he is claiming his MITM can replace the
legitimate server certificate with one of his own choosing. I suspect
Seifried doesn't understand the CN check which is performed by
SSL clients and outlined section 3 of
http://www.rfc-editor.org/rfc/rfc2818.txt.
If anybody can figure out what he is really claiming, please e-mail the
list.
Thanks,
Greg Stark, [EMAIL PROTECTED]
Chief Security Architect
Ethentica, Inc.
www.ethentica.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
