[Cryptography] self-MITMing my own TLS connection ...
ianG
iang at iang.org
Tue Feb 17 07:04:37 EST 2015
Interesting case study of where the market for MITMs is going...
https://tlsnotary.org/
How it Works
A user, called the 'auditee', wants to prove to another user, called the
'auditor', a certain fact attested to by an organisation (a bank, a
government, a company etc.). This fact could be a monetary balance on an
account, the fact of a money transfer, a particular set of identity
information such as address, amongst others. The auditor and auditee
create an encrypted messaging connection between each other over some
neutral communication channel (such as IRC). The auditee connects to the
website as normal and logs in, and then browses to the specific page
that proves the required information. Then the auditor and auditee use
their encrypted connection to negotiate secrets for the SSL/TLS session
such that the auditor can find out what is on the page that the auditee
loads, without gaining control of the connection or seeing the auditee's
login details. The diagram below gives the outline of what happens.
https://tlsnotary.org/images/walkthrough_diagram_simplified.svg
white paper: https://tlsnotary.org/TLSNotary.pdf
More information about the cryptography
mailing list