> Brian Hatch wrote:
> > Ahha! I know what we'll do, we'll require certificate authentication!
> > Ok, assuming I have a list of the major CAs and the the certificate
> > verified correctly
> You're missing the point. A hijack or redirect is not a MITM
> attack. These words have specific meaning, which you are abusing.
Hijacks and redirects are all within the scope of what a MITM can do.
You want a simple definition of a MITM? Here it is -- you think you have:
server <-> network <-> client
But under a MITM attack, you really have:
server <-> MITM <-> client
The MITM can do anything he wants from his position, including pass the
data unmolested, drop bytes, or change them in both directions. Hijacking
and redirection all occur on the wire between the server and the client, so
they're all within the scope of a MITM attack.
To put it simply, a MITM attack is any attack that can be performed by
someone who has complete control over the network between the server and the
client, that is, he is in the middle instead of a trusted network.
If you think MITM means something else, please present your definition. I
have a feeling you'll find it becomes incoherent.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
