[Cryptography] Client certificates as a defense against MITM attacks
Jerry Leichter
leichter at lrw.com
Mon Mar 17 18:16:28 EDT 2014
On Mar 17, 2014, at 5:00 PM, Nico Williams <nico at cryptonector.com> wrote:
>> An HTML cookie isn't bound to the end-to-end connection context. A MITM simply passes it through. The signed information I'm suggesting the client send *is* bound to that context, and isn't subject to this trivial vulnerability.
>
> https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final162.pdf
Yup. The same idea. The details are a bit different (and their approach may be more general) but fundamentally I'm proposing the same thing they did.
I guess the time comes when some ideas are just ready to be found.
Thanks for the reference.
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140317/6c3666d5/attachment.bin>
More information about the cryptography
mailing list