Who's afraid of Mallory Wolf?
Ed Gerck
egerck at nma.com
Mon Mar 24 18:57:18 EST 2003
Ian Grigg wrote:
> ...
> The analysis of the designers of SSL indicated
> that the threat model included the MITM.
>
> On what did they found this? It's hard to pin
> it down, and it may very well be, being blessed
> with nearly a decade's more experience, that
> the inclusion of the MITM in the threat model
> is simply best viewed as a mistake.
I'm sorry to say it but MITM is neither a fable nor
restricted to laboratory demos. It's an attack available
today even to script kiddies.
For example, there is a possibility that some evil attacker
redirects the traffic from the user's computer to his own
computer by ARP spoofing. With the programs arpspoof,
dnsspoof and webmitm in the dsniff package it is possible
for a script kiddie to read the SSL traffic in cleartext (list
of commands available if there is list interest). For this attack
to work the user and the attacker must be on the same LAN
or ... the attacker could be somewhere else using a hacked
computer on the LAN -- which is not so hard to do ;-)
>...
> Clearly, the browsers should not discriminate
> against cert-less browsing opportunities
The only sign of the spoofing attack is that the user gets a
warning about the certificate that the attacker is presenting.
It's vital that the user does not proceed if this happens --
contrary to what you propose.
BTW, this is NOT the way to make paying for CA certs go
away. A technically correct way to do away with CA certs
and yet avoid MITM has been demonstrated to *exist*
(not by construction) in 1997, in what was called intrinsic
certification -- please see www.mcg.org.br/cie.htm
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list