On Mon Dec 10 20:56:17 2007, Justin Karneges wrote:
Charlie can't login as Alice:
Charlie <--- TLS ---> Bob
(Charlie doesn't have Alice's credentials to use in the HTML
form.)
Right.
Charlie can't MITM attack:
Alice <--- TLS ---> Charlie <--- TLS ---> Bob
(Alice initiates TLS, doesn't get Bob, and so she rejects the
session. The second TLS channel between Charlie and Bob has no
relevance.)
Wrong. Bob doesn't know if Alice has checked his certificate or not.
Alice does, but cannot simply tell Bob, because Bob can't trust her
assertion, because Charlie might be there.
So yes, you're quite right, this is a security hole in almost all
uses of HTTPS.
It's much worse, of course, in the case where Alice has no means of
validating Bob's certificate, for example if Bob has a self-signed
cert - which is fairly common. In this case, strange as it may seem,
both Alice and Bob actually have no idea if there's Charlie in the
middle, even if TLS seems to be okay as far as both can tell.
Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
