Re: TLS man in the middle

[Alexander Klimov]

On Sat, 7 Nov 2009, Sandy Harris wrote:
 I'm in China and use SSL/TLS for quite a few things. Proxy connections,
 Gmail set to always use https and so on. This is the main defense for
 me and many others against the Great Firewall.

 Should I be worrying about man-in-the-middle attacks from the Great
 Firewall servers?

The attack does not directly allow to see any plaintext, it only
prepends your data with attackers plaintext.

IMO if the Great Firewall administrator wanted to intercept TLS
traffic they would do the usual TLS MitM attack with replacement of
certificates (as done by some corporate firewalls). Using the
renegotiation attack for purposes allowed by law seems to be too
round about.

-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: TLS man in the middle

[Sandy Harris]

On 11/6/09, mhey...@gmail.com mhey...@gmail.com wrote:
 From http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
  and http://extendedsubset.com/?p=8

  From what I gather, when TLS client certificates are used, an attacker
  can post a command to a victim server and have it authenticated by a
  legitimate client.


I'm in China and use SSL/TLS for quite a few things. Proxy connections,
Gmail set to always use https and so on. This is the main defense for
me and many others against the Great Firewall.

Should I be worrying about man-in-the-middle attacks from the Great
Firewall servers?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com