Re: MITM Paper....

Mon, 05 Feb 2001 07:38:46 -0800 

On Mon, Feb 05, 2001 at 04:05:01PM +0100, Gil Peeters wrote:
> >> "Just like Kurt Seifert's paper describes 
> >>  MITM attacks that depend on user stupidity 
> >>  (ignoring warnings about CN not matching 
> >>  or expired or unknown CA)."

> Would anyone have a reference to this paper??

> This is a point I have been trying to make to some "security" people where
> I am currently contracting. 

        What point is that?  The fact that "stupid user tricks" and
defeat their best security measures (the primary point of Kurt's paper
was that SSL and SSH couldn't prevent stupid users from ignoring errors)?

        Ok...

        Here is Kurt's original article:

        http://www.securityportal.com/cover/coverstory20001218.html

        You can find some extensive, well thought out, discussion in the
BugTraq archives from about Dec 19, 2000 through Dec 23, 2000.

        
http://www.securityfocus.com/templates/archive.pike?start=2000-12-18&end=2000-12-24&list=1&threads=0&;

        (Navigating the BugTraq archives can be a real pain since they
force you into these assinine frames).

        Here is my rebuttal to Kurt's article on BugTraq:

        http://www.securityfocus.com/archive/1/152239

        Here is Richard Silverman's (author of the O'Reilly book on SSH)
rebuttal to Kurt's original article:

        http://sysadmin.oreilly.com/news/silverman_1200.html

        And here is Kurt's response to Richard's rebuttal:

        http://www.securityportal.com/seifried/sslssh-followup20001222.html

> G.
> 
> -- 
> ================================================
> Gil Peeters
> BVBA CANCAS I.T.
> Willemsstraat 2
> 3000 Leuven 
> Belgium
> ================================================
> JAVA and Distributed Object Specialists
> ================================================
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  [EMAIL PROTECTED]
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to