The only way (other than brute force or perhaps some highly-classified, non public attack on the RSA algorithm) for a man-in-the-middle to compromise an SSL session without notifying the client is for the MITM to either: Have the private key of one of the two parties. Be considered a trusted CA by the client, and generate his own private key, corresponding certificate, and then signing that cert, representing himself as the server. This is how the Bluecoat and other SSL-breaking-proxies work.
Otherwise, there will be an anomaly that should generate an error - either the cert won't be signed by a trusted CA, or it won't match the name of the server. For folks working on corporate or Government nets, however, it's quite possible (and with new regs, it's becoming more and more likely) that your workstation (owned by the company/gov't) may have had a new trusted root CA added, which enables the proxies talked about above. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, July 29, 2008 5:47 AM To: [email protected] Subject: Re: SSL certificate signing request On Mon, Jul 28, 2008, Phibo wrote: > > Is it possible for a certificate authority (CA) signing my SSL > certificate signing request (csr) to decrypt my own SSL sessions ? Or, > in other words, in a csr are there enough infos about my private key > to be able to intercept SSL sessions encrypted by my public key ? > It can't decrypt anything using your public key no because the CSR only contains details of your public key and a digital signature. A CA could in theory perform a MITM attack, by issuing itself a certificate with your identity and containing a public key to which it has the private key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
