SSL/TLS passive sniffing

Ben Nagy bnagy at eeye.com
Tue Nov 30 03:34:18 EST 2004


Hi all,

I'm a bumbling crypto enthusiast as a sideline to my other, real, areas of
security expertise. Recently a discussion came up on firewall-wizards about
passively sniffing SSL traffic by a third party, using a copy of the server
cert (for, eg, IDS purposes).

There was some question about whether this is possible for connections that
use client-certs, since it looks to me from the spec that those connections
should be using one of the Diffie Hellman cipher suites, which is obviously
not vulnerable to a passive sniffing 'attack'. Active 'attacks' will
obviously still work. Bear in mind that we're talking about deliberate
undermining of the SSL connection by organisations, usually against their
website users (without talking about the goodness, badness or legality of
that), so "how do they get the private keys" isn't relevant.

However, I was wondering why the implementors chose the construction used
with the RSA suites, where the client PMS is encrypted with the server's
public key and sent along - it seems to make this kind of escrowed passive
sniffing very easy. I can't think why they didn't use something based on DH
- sure you only authenticate one side of the connection, but who cares? Was
it simply to save one setup packet?

Anyone know?

Cheers,

ben


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list