man in the middle, SSL

Erik Tews e_tews at cdc.informatik.tu-darmstadt.de
Sat Feb 3 11:35:43 EST 2007


Am Freitag, den 02.02.2007, 16:15 -0500 schrieb James Muir:
> > You can find more and download Odysseus here:
> > 
> > http://www.bindshell.net/tools/odysseus
> 
> It is my understanding that SSL is engineered to resist mitm attacks,
> so 
> I am suspicious of these claims.  I wondered if someone more familiar 
> with SSL/TLS could comment.
> 
> Isn't in the case that the application doing SSL on the client should 
> detect what this proxy server is doing and display a warning to the
> user? 

A unmodified SSL/TLS client should display a warning message, that the
server certificate is invalid or something similar. So this is not a
valid man in the middle attack agains SSL/TLS.

Perhaps you are going to use this tool for debugging purpose. If so, you
can perhaps generate a certificat with a private key. The certificate is
installed in your SSL/TLS client as a trusted certification authority
and the certificate and the private key is then used by odysseus to make
this warning messages go away.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20070203/65f2ba1e/attachment.pgp>


More information about the cryptography mailing list