[5403] in cryptography@c2.net mail archive
Re: going around the crypto
daemon@ATHENA.MIT.EDU (MIKE SHAW)
Sat Aug 14 13:20:56 1999
Date: Fri, 13 Aug 1999 12:00:55 -0500
From: "MIKE SHAW" <mas@sbscorp.com>
To: smb@research.att.com
Cc: cryptography@c2.net
Right. But to do that you would most have to install your
homemade CA root cert on their browser, which would probably tip off
most users (at least a few customer would call clueless as to how to =
install
a CA--I know ours would). The only CAs with commonly accepted root certs
wouldn't let you get one from them without checking your credentials =
first.
So it looks like unless you compromised the target server first and =
somehow
stole their SSL certificate, you'd have to create your own that matched =
the
domain name and that would make the exploit very untransparent to the
exploited user. Unless of course, there is an easy way to make commonly
accepted certificates without authentication--which would be a fatal flaw =
in
the whole protocol.
Don't get me wrong, I'm not downplaying the significance of the L0pht's
advisory at all. I'm just trying to get a grasp on the implications.
-Mike
>>>Not as a proxy, since that's a different protocol from the host, but as =
the=20
end-system. Yes, you have to issue yourself a fake certificate, but I =
suspect=20
that that's not an insurmountable problem. And of course, that certificate=
is=20
signed by someone you've invented with a plausible name -- probably =
something=20
corresponding to the name of the site you're impersonating. Say, =
"Amazon.com=20
Electronic Security Services" or some such.
