Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

https man in the middle [was: routing between provider edge and CPE routers]

  • From: Martin Renschler (EWU)
  • Date: Wed Jan 29 21:14:47 2003

It's even worse, a fake certificate from a man in the middle causes a trustworthy warning! If a certificate is not co-signed by any of the Browser compiled-in authorities, the Browsers will just ask: " you want to trust <company>". The hacker is completely free to fill in <company> when he creates his own certificate on the server side (using plain openssl). This will be the only popup as the fake certificate will match the faked URL.
Did M$ expect people to say "no" to the fake question "Do you want to trust Citibank" when they are in fact trying to connect to the real Citibank site?
The default behavior of a browser should be to reject unsigned certificates and not even ask the question. Currently, there is even no warning that <company> was learned from an unsigned certificate.

(disclaimer... does not necessarily reflect the opinion of my employer...)

> Even supposedly secure things like SSL-protected websites and SSH logins
> are vulnerable due to the simple fact that most people won't think twice
> to say "yes" to SSH complaining that it detected a new host key; or notice
> that they're really talking to a different website (or that the lock icon
> is not showing) - if it looks the same, and its URL is similar-looking
> (l->1, O->0, etc; and with newish Unicode URLs the fun is unlimited).

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.