[62083] in North American Network Operators' Group
Re: What *are* they smoking?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Sep 15 21:35:23 2003
From: "Steven M. Bellovin" <smb@research.att.com>
To: nanog@merit.edu
In-Reply-To: Your message of "Mon, 15 Sep 2003 20:17:23 CDT."
<3F6664A3.60800@quickfire.org>
Date: Mon, 15 Sep 2003 21:25:29 -0400
Errors-To: owner-nanog-outgoing@merit.edu
It's bad enough now; it could be even worse. They could respond on
port 443, too, with a legitimate-seeming certificate -- they're
*Verisign*, the leading certficate authority.
In the security world, we call this a man- (or monkey-)in-the-middle
attack, for which the standard defense is crypto. But that doesn't
work well when your trusted third party is part of the threat model...
--Steve Bellovin, http://www.research.att.com/~smb
