[LINK] Filter to cause World Wide Wait

Kim Holburn kim.holburn at gmail.com
Fri Oct 31 05:41:41 AEDT 2008


One of the issues about filtering for https is that up until recently  
https had to start with a unique IP address for each https server.

I believe there is a new protocol similar to TLS that allows an https  
session to start unencrypted and then turn on encryption.  It still,  
as I understand it, would not allow man in the middle attacks but it  
might allow filtering and outright blocking of https sites by domain  
name.  It's not clear to me that browsers are implementing it yet  
though.

It sounds to me like these filters they are planning are like proxies  
and filter on domain name.  Does that mean using a URL with and IP  
address would by-pass them?

Also I assume some kind of port relay would get past the filter like  
it didn't exist.  A new start-up?

On 2008/Oct/30, at 10:23 AM, Martin Barry wrote:

> $quoted_author = "Richard Chirgwin" ;
>>
>> 1) As I understand it, SSL uses asymmetric keys to authentication  
>> and a
>> symmetric key for data exchange. Please correct me if I'm wrong.
>
> Sounds about right.
>
>
>> 2) SSL is session-based, by which I mean that it's supposed to be
>> (relatively) sensitive to MITM attacks. If you interrupt the session,
>> it's gone. Again, CMIIW.
>
> This is where Certificate Authorities (CA) come in. Trusted third  
> party(s)
> sign the key for verification at initial presentation. SSL relies on  
> them
> being shipped with your browser and compares it with the domain name  
> in the
> URL, PKI relies on key servers and compares it with the email address
> etc.etc.
>
> When the initial connection occurs, if a MITM is attempted, your  
> browser
> should warn you that the certificate is not signed by a trusted CA  
> or that
> the signed certificate does not match the domain name. [1]
>
> To effect a MITM on SSL, someone would have to subvert the CA process,
> either by getting them to sign a dodgy key for a given domain name  
> (which
> limits the attack to that site) or getting their own root CA into  
> browsers
> (which enables them to attack any site).
>
> cheers
> marty
>
> [1] But how common was it for people to dismiss those warnings without
> reading them! Note how Firefox3 has made it a 3-4 click process to  
> accept an
> incorrect certificate.
>
> -- 
> "Friends tell me that I will take naturally to blogging because I am  
> in
> possession of many poorly considered opinions about issues I  
> understand only
> marginally." Jeffrey Goldberg
>
> http://jeffreygoldberg.theatlantic.com/archives/2008/04/welcome_to_the_terrordome_1.php
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request








More information about the Link mailing list