No. A MITM attack can also occur even if you're using a crypto
accelerator. The only way this attack cannot occur is if you ask for
client authentication.
- the sniffer generates a self-signed certificate with the same name as
your server cert (www.secure.site)
- the browser wants to connect to your site (www.secure.site), but
instead connects to the sniffer (sniff.evil.domain)
- the sniffer negociates the SSL session with the browser, by presenting
the newly generated self-signed cert
- the browser gets a warning claiming that the cert is invalid
- the attack goes there: the user only clicks OK because he doesn't know
anything about PKI
- the sniffer then establishes a SSL session with your server, using your
crypto accelerator if you want. In this exact case, the sniffer only
acts as a valid customer browser, so this connection is perfectly
valid.
- the sniffer then routes all the data between the beowser and the
server, but all this data is cleartext in it's own address space, and
ciphered between (browser, sniffer) and (sniffer, server).
So your cryptoboard cannot do anything against a dumb user being sniffed.
Again: the attack has nothing to do with the server, or the cryptoboard
the server might have.
On Tue, 19 Dec 2000, Thomas Nichols wrote:
> Quite the contrary. There is no method available for an MIIM to replace the SSL
> cert as it can only reside where it is and is linked to private IP servers behind
> the accelerator.
> Erwann ABALEA wrote:
>
> > On Tue, 19 Dec 2000, Thomas Nichols wrote:
> >
> > > The best method is to not have the SSL certificate and key on the server to
> > > begin with. I use a non-ip based ssl accelerator.
> >
> > This not a protection against this attack.
> >
> > This attack doesn't steal the private key of the host, it only relies on
> > the "dumbness" of the users, which only clicks "OK" when a warning pops up
> > (considering that the user doesn't know anything about PKI).
> >
> > This attack is not against SSL, or SSH, but only against the users.
--
Erwann ABALEA
[EMAIL PROTECTED]
RSA PGP Key ID: 0x2D0EABD5
------
Against stupidity, the Gods themselves, contend in vain!
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
