> >No, I am not at all confused. You are confused and immune to
> >education and
> >based on the number of emails I've gotten about this thread from
> >professional security people, I'm pretty sure I'm right
>
> David, I am a security professional, and I have the greatest respect for
> Rich Sal
> SSL/TLS plus good authentication methods is immune to MITM attacks.[1]
>
> [1] Depending on everyone you trust being trustworthy. What if I'm
> a verisign employee and can manage to generate a verisign-signed
> cert for www.microsoft.com? I can MITM, and no alerts will occur
> unti
> Sorry David, but your definition of MITM is wrong. Or, more accurately,
> it is not aligned with how cryptographers and security analysts
> generally conceive it.
I don't see how. I just went to 35 sites that defined MITM and all of them
defined them the way I did.
> In an MITM attack
David Schwartz wrote:
No, I am not at all confused. You are confused and immune to education and
based on the number of emails I've gotten about this thread from
professional security people, I'm pretty sure I'm right
David, I am a security professional, and I have the greatest respect for
> Hi,
> On July 25, 2003 01:45 pm, David Schwartz wrote:
> > Hijacks and redirects are all within the scope of what a
> > MITM can do.
> No, they only within the scope of what an attacker can do. The attacker
> becomes a MITM if they can do it without you knowing anything's wrong.
T
> David Schwartz wrote:
> > Hijacks and redirects are all within the scope of what a
> > MITM can do.
> That's a Humpty-Dumpty argument, not the definition used by
> cryptographers.
> You're simply confused, or are immune to education.
No, I am not at all confused. You are confused
I got it to work; the command below just needs:
" -extfile ../openssl.cnf -extensions usr_cert"
I had ASSUMED that since "openssl req" and "openssl ca" can find the "openssl.cnf" file, that "openssl x509" could also.
-- Dean
Dean Gibson (System Administrator) wrote on 2003-07-25 11:49:
Thanks
> And this is precisely the crux of why I think this thread is a waste of
> bandwidth.
Agreed.
I'll end, promising to shut up after this, with the following summary
1) SSL/TLS has the capabilities to be immune to MITM attacks.
2) These capabilities may be used in any number
On Fri, Jul 25, 2003, Wu Junwei wrote:
> Hi,all
>
> I have a question on certificate verifying.
> In X509_verify_cert(), after checking the prupose (my understanding is to
> check the extension of the V3 certificate),
> it checks the so-called trust :
>
> if (ctx->trust > 0) ok = check_trus
Hi,
On July 25, 2003 03:13 pm, Brian Hatch wrote:
> SSL/TLS provides the *ability* for you to know something is wrong
> *if* the developers correctly used the tools available to them.
> Without enforcing certificate authentication and/or CN matching,
> the user will not know anything is wrong. Th
> In an MITM attack, the adversary sits between A and B and is able to
> intercept and/or modify the communications between the two of them
> without their knowledge. Server certificates and "the DN's CN must be
> the FQDN" (sic:) help prevent MITM.
Yes, they help. They do a damned good job
Sorry David, but your definition of MITM is wrong. Or, more accurately,
it is not aligned with how cryptographers and security analysts
generally conceive it.
In an MITM attack, the adversary sits between A and B and is able to
intercept and/or modify the communications between the two of them
> No, they only within the scope of what an attacker can do. The attacker
> becomes a MITM if they can do it without you knowing anything's wrong.
And SSL/TLS does not itself let you know anything is wrong.
SSL/TLS provides the *ability* for you to know something is wrong
*if* the developers
David Schwartz wrote:
Hijacks and redirects are all within the scope of what a MITM can do.
That's a Humpty-Dumpty argument, not the definition used by cryptographers.
You're simply confused, or are immune to education.
You want a simple definition of a MITM? Here it is -- you think you have:
Si
Thanks for the suggestion! I tried it and it didn't work.
I think Umesh's eMail below (note he works for HP) hit the nail on the head. I tried his suggestion (below), and then did:
openssl x509 -req -in hplj4600dn1.csr -CA ultimeth.pem -days 3650 -set_serial 01 -out hplj4600dn1.crt
but the gen
Hi,
On July 25, 2003 01:45 pm, David Schwartz wrote:
> Hijacks and redirects are all within the scope of what a MITM can do.
No, they only within the scope of what an attacker can do. The attacker
becomes a MITM if they can do it without you knowing anything's wrong.
Note "doing it withou
> Brian Hatch wrote:
> > Ahha! I know what we'll do, we'll require certificate authentication!
> > Ok, assuming I have a list of the major CAs and the the certificate
> > verified correctly
> You're missing the point. A hijack or redirect is not a MITM
> attack. These words have specific mean
Hi, I have an SSL client/server application,
on randomly basis, I got this error in my ssl server. When it does the
SSL_accept, it sometimes got following problem.
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not
01
Then the handshake is failed. I am using SSLv3, and op
> >Ahha! I know what we'll do, we'll require certificate authentication!
> >Ok, assuming I have a list of the major CAs and the the certificate
> >verified correctly
>
> You're missing the point. A hijack or redirect is not a MITM
> attack. These words have specific meaning, which you are abu
Brian Hatch wrote:
Ahha! I know what we'll do, we'll require certificate authentication!
Ok, assuming I have a list of the major CAs and the the certificate
verified correctly
You're missing the point. A hijack or redirect is not a MITM
attack. These words have specific meaning, which you are a
> >>The case of connecting to a different party (hijacking) has nothing
> >>whatsoever to do with MITM.
> >
> > A MITM is a different party! No offense, but do you have any idea
> > what
> >you're talking about?
>
> Back to school, David. MITM is used by cryptographers to refer to
> an
[EMAIL PROTECTED] admin]$ openssl s_client -connect 192.168.188.243:443
connect: Connection refused
connect:errno=29
It means that there is nothing listening in port 443 on the remote host,
so the kernel over there rejected your attempt to connect.
For more details, try "man 2 errno"
/r$
Title: ???
Morning, can someone tell me what this error code means when I do the following, also were can I find a list of all the error codes.
[EMAIL PROTECTED] admin]$ openssl s_client -connect 192.168.188.243:443
connect: Connection refused
connect:errno=29
Thanks in Advance
mike
David Schwartz wrote:
This is not a MITM. A Man-in-the-middle attack assumes a party on the
wire, witnessing all communication and able to insert arbitrary text.
Exactly. That's a MITM.
If I connect to 'www.amazon.com' through a MITM, that MITM can do one of
two things. He can tamper
> This is what I'm trying to prevent. after shake-hand and authentication
> by SSL, it is still not safe enough. because other poople and I share
> some common secrets (key and certificate), but if secrets are comprised,
> (I know that people don't like this idea of losing key, but it happened
>
On Fri, Jul 25, 2003 at 09:18:52AM -0400, Jue (Jacky) Shu wrote:
> On 2003-07-24 at 18:43, David Schwartz wrote:
> >
> > > Please check this url:
> > > http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
> > > Server authentication, step 4
> > > The only difference is that netsc
Hi!
I probably have a very basic question, but I need to describe my problem
in detail to make sure everybody understands what I'm seeking for,
because I may not possibly use the correct terminology. I want to have
this kind of organizational structure (OU = Organizational Unit):
Root-CA
|
+-
On 2003-07-24 at 18:43, David Schwartz wrote:
>
> > Please check this url:
> > http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
> > Server authentication, step 4
> > The only difference is that netscape just check domain name.
>
> "Does the domain name in the server's certif
> -Original Message-
> From: Bob DeBolt [mailto:[EMAIL PROTECTED]
> Sent: 14 July 2003 18:35
> To: [EMAIL PROTECTED]
> Subject: RE: Signing a CSR from JetDirect
>
>
>
> > It seems to me that it is in the best interest of the major
> > CAs to not offer wildcard certificates; that way,
Hello Alain,
where did you see the certificate status option? from my IE6 browser,
it indicates only indicates that the certificate isn't verified by a
trusted CA... not to mention I see the SSL symbol (locked padlock
icon) which indicates that 128-bit encryption is enabled...
any more experience
Once upon a time, I heard Dr. Stephen Henson say:
> Its PKCS#7 signedData. You can use the smime utility with -inform DER
> or programatically d2i_PKCS7().
Thanks, it works well this way...
But what is meant by the MD5 sum for this key? I wasn't abel to
reproduce it neither with openssl nor with
31 matches
Mail list logo
