Quite the contrary. There is no method available for an MIIM to replace the SSL
cert as it can only reside where it is and is linked to private IP servers behind
the accelerator.
Erwann ABALEA wrote:
> On Tue, 19 Dec 2000, Thomas Nichols wrote:
>
> > The best method is to not have the SSL certificate and key on the server to
> > begin with. I use a non-ip based ssl accelerator.
>
> This not a protection against this attack.
>
> This attack doesn't steal the private key of the host, it only relies on
> the "dumbness" of the users, which only clicks "OK" when a warning pops up
> (considering that the user doesn't know anything about PKI).
>
> This attack is not against SSL, or SSH, but only against the users.
>
> > Michael Sierchio wrote:
> >
> > > Eric Rescorla wrote:
> > >
> > > > This isn't a MITM attack, however.
> > >
> > > Sorry, Eric -- if you don't know or trust the signer, then you only
> > > know that the presenter (could be a MITM) has the private key associated
> > > with the pubkey in the cert. This means that a MITM attack is entirely
> > > possible. Trust in the CA is required to assure the binding of the
> > > SubjectPublicKeyInfo to the DN. That's the feature that prevents
> > > the MITM attack. There's also the convention among browser implementations
> > > that the CN should be the FQHN, which is a PITA for numerous reasons.
> > >
> > > Of course, your browser presents no warnings whatsoever for certs
> > > signed by any number of CAs that are "trusted" simply because their
> > > root certs are bundled with the browser. And unless you manually
> > > retrieve a CRL, you only know that a cert was valid when it was
> > > issued.
> > > ______________________________________________________________________
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List [EMAIL PROTECTED]
> > > Automated List Manager [EMAIL PROTECTED]
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> >
>
> --
> Erwann ABALEA
> [EMAIL PROTECTED]
> RSA PGP Key ID: 0x2D0EABD5
> ------
> Computers can never replace human stupidity.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
