[LINK] Filter to cause World Wide Wait

Martin Barry marty at supine.com
Thu Oct 30 20:23:08 EST 2008


$quoted_author = "Richard Chirgwin" ;
> 
> 1) As I understand it, SSL uses asymmetric keys to authentication and a
> symmetric key for data exchange. Please correct me if I'm wrong.

Sounds about right.

 
> 2) SSL is session-based, by which I mean that it's supposed to be
> (relatively) sensitive to MITM attacks. If you interrupt the session,
> it's gone. Again, CMIIW.

This is where Certificate Authorities (CA) come in. Trusted third party(s)
sign the key for verification at initial presentation. SSL relies on them
being shipped with your browser and compares it with the domain name in the
URL, PKI relies on key servers and compares it with the email address
etc.etc.

When the initial connection occurs, if a MITM is attempted, your browser
should warn you that the certificate is not signed by a trusted CA or that
the signed certificate does not match the domain name. [1]

To effect a MITM on SSL, someone would have to subvert the CA process,
either by getting them to sign a dodgy key for a given domain name (which
limits the attack to that site) or getting their own root CA into browsers
(which enables them to attack any site).
 
cheers
marty

[1] But how common was it for people to dismiss those warnings without
reading them! Note how Firefox3 has made it a 3-4 click process to accept an
incorrect certificate.

-- 
"Friends tell me that I will take naturally to blogging because I am in
possession of many poorly considered opinions about issues I understand only
marginally." Jeffrey Goldberg

http://jeffreygoldberg.theatlantic.com/archives/2008/04/welcome_to_the_terrordome_1.php


More information about the Link mailing list