* Robert Butler wrote on Wed, Oct 03, 2007 at 17:43 -0400: > That's right- > > nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, > since everything is encrypted using TLS or SSL.
Just for security I'd like to add a small concretion. (I know you know, but it cannot be stressed enough, otherwise by the time and some lazyness some "default trust" to TLS could occure, like "it's TLS and thus secure", which of course is wrong). Encryption or SSL/TLS (as in HTTPS) by itself do help anything against MITM as long as the peer is not authenticated. This authentication should be made by the user (after establishing the SSL/TLS tunnel) by verifying the certified identity information (by checking the certificate subject values), which works as long as you can trust the system running the browser. > If you get extremely lucky and catch the browser at the wrong moment, > you can sniff the server key and browser key, > but apart from that, it really depends on the strength of the server's > key. I assume keys used in practice (except some US export restricted software, in case this restriction still exists) are always strong enough to make a brute force key attack much more expensive that other attacks (in which case IMHO the key strength is sufficient). > What they do, is they spoof the certificate and point you to a > hijacked webpage (us.etrade.com.mypaidhost.net), from which > they can easily collect your login information. They can (and should) use a valid correct authentic certificate for *.mypaidhost.net which guarentees that the TLS tunnel is really established to mypaidhost.net. That is what TLS is for. If the authenticated peer (such as us.etrade.com.mypaidhost.net) is authenticated or not must be decided by the user (who usually should inspect the information of the certificate and other). Without the user inspecting the certificate, TLS does not help. Maybe in case of a valid certificate for the phishing site the institution that requested the certificate could be caugth because the CA should know, but I'm afraid in practice you can get certificates without this beeing guaranteed, such as a cacert.org certificate or whatever. oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]