On Mon, Sep 24, 2007 at 12:31:15PM -0700, David Schwartz wrote:
> > Hello David,
> > I would like to learn more on MITM in this particular scenario. I
> > used to believe that if a server is using a signed certificate,
> > the MITM is not possible (Is it possible with techniques like DNS
> > poisoning?). Looks like I missed something important. Could you
> > point me to the information on this?
>
> It's really quite simple. A signed certificate does not itself stop a MITM.
> What stops a MITM is the combination of two things:
>
> 1) The real server having something the MITM does not have, and
>
> 2) The client verifying that something in a way the MITM cannot fake.
>
> If you have both of those two things, you don't have to worry about a MITM.
>
> In the typical Internet/browser case, if I go to https://www.amazon.com, I
> am relying on my browser to make sure that the certificate presented has
> 'www.amazon.com' as the name the CA is vouching for and I'm relying on no CA
> that I trust issuing such a certificate to a MITM. So long as those two
> rules apply, I am fine.
And behind the scenes that the SSL handshake is signed with the server's
private key and verified by the browser with the server's public key.
> The case I was talking about is where you allow the server to use a
> self-signed certificate or for some other reason the certificate does not
> contain the server's name vouched for by someone you trust. In that case,
> you need to stop a MITM some other way. The SSL protocol won't do it for you
> with a self-signed certificate or a certificate not signed by a trusted CA
> that contains the name the client is trying to reach.
SSL works just fine to prevent MITM with self-signed certs, provided
the client has prior knowledge of the self-signed cert. It can then
check for the right public key, or the right certificate fingerprint
(more convenient via the OpenSSL API than extracting public keys, ...)
> Basically, in this case you can use the original SSL authentication to
> bootstrap a separate MITM detection step. I strongly recommend doing this in
> a custom application if you use SSL in a way that prevents its normal MITM
> detection from being effective.
I strongly disagree. How does the client this "separate detection"
step to the protocol handshake. Why ask users to invent very difficult
to get right security protocols?
> In this case, the OP was defeating SSL's normal MITM detection because his
> server certificate does not contain a name vouched for by a trusted CA.
> That's why I suggested an alternate means of MITM detection.
No, self-signed certs don't defeat MITM detection, they defeat the
X.509 PKI trust model for server authentication, so authentication of
the server cert needs to use a different trust model.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
