[78719] in cryptography@c2.net mail archive
Re: man in the middle, SSL
daemon@ATHENA.MIT.EDU (Erik Tews)
Sat Feb 3 12:25:49 2007
From: Erik Tews <e_tews@cdc.informatik.tu-darmstadt.de>
To: James Muir <jamuir@scs.carleton.ca>
Cc: cryptography@metzdowd.com
In-Reply-To: <45C3A9FE.4060203@scs.carleton.ca>
Date: Sat, 03 Feb 2007 17:35:43 +0100
--=-BX1VaMZRi/grkL8z5lEk
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Am Freitag, den 02.02.2007, 16:15 -0500 schrieb James Muir:
> > You can find more and download Odysseus here:
> >=20
> > http://www.bindshell.net/tools/odysseus
>=20
> It is my understanding that SSL is engineered to resist mitm attacks,
> so=20
> I am suspicious of these claims. I wondered if someone more familiar=20
> with SSL/TLS could comment.
>=20
> Isn't in the case that the application doing SSL on the client should=20
> detect what this proxy server is doing and display a warning to the
> user?=20
A unmodified SSL/TLS client should display a warning message, that the
server certificate is invalid or something similar. So this is not a
valid man in the middle attack agains SSL/TLS.
Perhaps you are going to use this tool for debugging purpose. If so, you
can perhaps generate a certificat with a private key. The certificate is
installed in your SSL/TLS client as a trusted certification authority
and the certificate and the private key is then used by odysseus to make
this warning messages go away.
--=-BX1VaMZRi/grkL8z5lEk
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQBFxLnf1V7s4RB7CAcRAirpAJwNLxSVPkOSpb5TlmH59edVB7rBSACeKvBS
tUU1HTjx6oGUAxZQECqxhAo=
=+bXW
-----END PGP SIGNATURE-----
--=-BX1VaMZRi/grkL8z5lEk--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
