We have had 30 emails in the last hour on this same subject including
numerous one-liners. Maybe you should take this chatroom discussion offline
until you all agree on something worth announcing to the rest of us?
Jeff Cornett
Optio Software, Inc.
225 S. Westmonte Avenue, Suite 3000, Altamonte Springs, FL 32714
Phone E-Mail
Web Site
Business: 407-774-7800 [EMAIL PROTECTED]
http://www.optiosoftware.com
Home: 407-330-1968 [EMAIL PROTECTED]
http://www.printagame.com
/ / / / \ \ \
\
===o::O:O:O:O:O:O:O:O==== ===o:==O=O=O=O=O=O=O=O===
\ \ \ \ / / / /
> -----Original Message-----
> From: Thomas Nichols [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, December 19, 2000 1:56 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Kurt Seifred's article on securityportal
>
> Also, there is no crypto-board.
>
> Erwann ABALEA wrote:
>
> > No. A MITM attack can also occur even if you're using a crypto
> > accelerator. The only way this attack cannot occur is if you ask for
> > client authentication.
> >
> > - the sniffer generates a self-signed certificate with the same name as
> > your server cert (www.secure.site)
> > - the browser wants to connect to your site (www.secure.site), but
> > instead connects to the sniffer (sniff.evil.domain)
> > - the sniffer negociates the SSL session with the browser, by
> presenting
> > the newly generated self-signed cert
> > - the browser gets a warning claiming that the cert is invalid
> > - the attack goes there: the user only clicks OK because he doesn't
> know
> > anything about PKI
> > - the sniffer then establishes a SSL session with your server, using
> your
> > crypto accelerator if you want. In this exact case, the sniffer only
> > acts as a valid customer browser, so this connection is perfectly
> > valid.
> > - the sniffer then routes all the data between the beowser and the
> > server, but all this data is cleartext in it's own address space, and
> > ciphered between (browser, sniffer) and (sniffer, server).
> >
> > So your cryptoboard cannot do anything against a dumb user being
> sniffed.
> >
> > Again: the attack has nothing to do with the server, or the cryptoboard
> > the server might have.
> >
> > On Tue, 19 Dec 2000, Thomas Nichols wrote:
> >
> > > Quite the contrary. There is no method available for an MIIM to
> replace the SSL
> > > cert as it can only reside where it is and is linked to private IP
> servers behind
> > > the accelerator.
> > > Erwann ABALEA wrote:
> > >
> > > > On Tue, 19 Dec 2000, Thomas Nichols wrote:
> > > >
> > > > > The best method is to not have the SSL certificate and key on the
> server to
> > > > > begin with. I use a non-ip based ssl accelerator.
> > > >
> > > > This not a protection against this attack.
> > > >
> > > > This attack doesn't steal the private key of the host, it only
> relies on
> > > > the "dumbness" of the users, which only clicks "OK" when a warning
> pops up
> > > > (considering that the user doesn't know anything about PKI).
> > > >
> > > > This attack is not against SSL, or SSH, but only against the users.
> >
> > --
> > Erwann ABALEA
> > [EMAIL PROTECTED]
> > RSA PGP Key ID: 0x2D0EABD5
> > ------
> > Against stupidity, the Gods themselves, contend in vain!
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
