[Cryptography] Client certificates as a defense against MITM attacks

Jerry Leichter leichter at lrw.com
Mon Mar 17 18:16:28 EDT 2014


On Mar 17, 2014, at 5:00 PM, Nico Williams <nico at cryptonector.com> wrote:
>> An HTML cookie isn't bound to the end-to-end connection context.  A MITM simply passes it through.  The signed information I'm suggesting the client send *is* bound to that context, and isn't subject to this trivial vulnerability.
> 
> https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final162.pdf
Yup.  The same idea.  The details are a bit different (and their approach may be more general) but fundamentally I'm proposing the same thing they did.

I guess the time comes when some ideas are just ready to be found.

Thanks for the reference.
                                                        -- Jerry


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140317/6c3666d5/attachment.bin>


More information about the cryptography mailing list