[16481] in cryptography@c2.net mail archive
Re: SSL/TLS passive sniffing
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Dec 1 00:47:38 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@research.att.com>
To: David Wagner <daw@cs.berkeley.edu>
Cc: bnagy@eeye.com, cryptography@metzdowd.com
In-Reply-To: Your message of "Tue, 30 Nov 2004 19:22:29 PST."
<200412010322.iB13MTt1027228@taverner.CS.Berkeley.EDU>
Date: Tue, 30 Nov 2004 23:36:00 -0500
In message <200412010322.iB13MTt1027228@taverner.CS.Berkeley.EDU>, David Wagner
writes:
>Ben Nagy wrote:
>>Recently a discussion came up on firewall-wizards about
>>passively sniffing SSL traffic by a third party, using a copy of the server
>>cert (for, eg, IDS purposes).
>
>This sounds very confused. Certs are public. How would knowing a copy
>of the server cert help me to decrypt SSL traffic that I have intercepted?
>Now if I had a copy of the server's private key, that would help, but such
>private keys are supposed to be closely held.
>
>Or are you perhaps talking about some kind of active man-in-the-middle
>attack, perhaps exploiting DNS spoofing? It doesn't sound like it, since
>you mentioned passive sniffing.
>
>And it doesn't matter whether you use Diffie-Hellman or RSA with Verisign
>certs; either way, SSL should be secure against passive eavesdropping.
>
>I think you need to elaborate before we can give any sensible responses.
>
There are products out there that use their own CA certificate to
create new certificates for any end point you try to connect to. If
the user accepts the certificate of an unknown CA -- or, in some cases,
if the organization has preconfigured user systems to trust the
firewall CA, which I've also seen -- there's a simple MITM attack.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
