Wikipedia is right in principle, but doesn't cover the case of TCP
hijacking. By reliable delivery guarantee, it means the transport layer,
once the data has left the application layer (i.e when is placed on the
wire). Of course no guarantees are offerred for the application layer, where
the application is free to send anything it wants.
It would require a lot of effort, but a transparent proxy, can rewrite IP
source headers, sequence numbers, ACKs and if it has followed all algos and
key exchanges, even regenerate those. HMAC is nothing more than a glorified
CRC encoded with some secret exchanged at the start. If anyone captures that
secret can regenerate all MACs.
Transparent proxies and gateways are always a concern in security,
BR,
Nikos
----- Original Message -----
From: "Andrey Koltsov" <kolt...@cyberplat.com>
To: <openssl-users@openssl.org>
Sent: Monday, May 18, 2009 8:59 AM
Subject: Re: SSL attack scenario
JoΓ£o TΓ΅vora ΠΏΠΈΡ�ΠµΡ‚:
What this article says is this: if you *received* data from TCP connection
it will be "without duplication or losing data". It doesn't say: if you
*send* data it will be received correctly by other host. It's impossible
to garantee.
--
Andrey Koltsov
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
