On Jan 14, 2009, at 2:38 PM, Peter Saint-Andre <[email protected]>
wrote:
As previously noted, "please send follow-ups to the
[email protected] list."
Earl wrote:
Peter,
I have seen a company selling a hw firewall, targeted at corporations
that want to read
all SSL and TLS traffic. This firewall only performed the man in the
middle listening
and let the corporation see all SSL and TLS encrypted traffic in the
clear. I have serious
doubts that SSL or TLS can really provide any security. I mean this
firewall was being
sold by a very small Chinese company, so you can imagine what
organized
crime and
governments can do.
I have no comment on that.
These systems require installing a new ca on the browser. It's not an
inherent issue with ssl/tls. If the attacker controls your client you
are hosed no matter what crypto you use.
I believe XMPP should use ZRTP and require that ZRTP SASL *must* be
displayed
so that it can be vocally read to the other party to determine if
there
is a man in the middle.
I don't think this is very realistic. As I said earlier there are
lots of situations where this doesn't work at all (e.g. IVR). And even
in human to human settings the available data suggests that people
will not actually check the sas.
Ekr
