Kurt Seifried has written an article (www.securityportal.com) in which
he claims there are man-in-the-middle attacks against SSL. I think
his article is wrong, but he has conveniently left off enough technical
details of his attack so that he can always say he meant something else.
The problem is that it is getting a surprising amount of play. I put in my
two cents on Slashdot yesterday, but today I saw some posts on
the IPSec mailing list referencing the Seifried article.
I guess I am most curious about just what his man-in-the-middle
attack is? My guess is that he is claiming his MITM can replace the
legitimate server certificate with one of his own choosing. I suspect
Seifried doesn't understand the CN check which is performed by
SSL clients and outlined section 3 of
http://www.rfc-editor.org/rfc/rfc2818.txt.
If anybody can figure out what he is really claiming, please e-mail the
list.
Thanks,
Greg Stark, [EMAIL PROTECTED]
Chief Security Architect
Ethentica, Inc.
www.ethentica.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
