man in the middle, SSL

[Scott G Kelly]

James Muir wrote:
> I was reading a hacking blog today and came across this:
> 
> http://www.darknet.org.uk/2007/02/odysseus-win32-proxy-telemachus-http-transaction-analysis/
> 
> 
>> Odysseus is a proxy server, which acts as a man-in-the-middle during
>> an HTTP session. A typical HTTP proxy will relay packets to and from
>> a client browser and a web server. Odysseus will intercept an HTTP
>> session’s data in either direction and give the user the ability to
>> alter the data before transmission.
>>
>> For example, during a normal HTTP SSL connection a typical proxy will
>> relay the session between the server and the client and allow the two
>> end nodes to negotiate SSL. In contrast, when in intercept mode,
>> Odysseus will pretend to be the server and negotiate two SSL
>> sessions, one with the client browser and another with the web
>> server.
>>
>> As data is transmitted between the two nodes, Odysseus decrypts the
>> data and gives the user the ability to alter and/or log the data in
>> clear text before transmission.
>>
>> You can find more and download Odysseus here:
>>
>> http://www.bindshell.net/tools/odysseus
> 
> It is my understanding that SSL is engineered to resist mitm attacks, so
> I am suspicious of these claims.  I wondered if someone more familiar
> with SSL/TLS could comment.
> 
> Isn't in the case that the application doing SSL on the client should
> detect what this proxy server is doing and display a warning to the user?

If the user's browser is configured to accept a CA cert for which the
proxy holds the signing key, then the proxy can generate a (bogus) cert
for the destination site on the fly, and this will be transparent to the
user.

Scott

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com