• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

man-in-the-middle at ssl handshake

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
h2g
Just Arrived
Just Arrived


Joined: 06 Dec 2009
Posts: 0


Offline

PostPosted: Sun Dec 06, 2009 12:18 am    Post subject: man-in-the-middle at ssl handshake Reply with quote

Hi,

I have difficulties to understand why the signed certificate in SSL-authentication should make it difficult to do a man-in-the-middle-attack.

If I were the attacker, this is what I would do:
I would pretend to the server (eg. an online bank) to be the client. And I would pretend to the client (eg. customer of the bank) that I'm the server. I would just forward the certificate that was originally sent by the server to the client. This certificate is certainly signed, I would not change anything at that signature. So the client would not be able to recognize that the certificate is actually not sent by the server, but forwarded by me - the attacker. Thus, the client would believe that I am the server.

What am I misunderstanding?

Thanks!!
Henning
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sun Dec 06, 2009 3:02 pm    Post subject: Reply with quote

Hi Henning,

The point is that the public key used by the client to encrypt the data is contained in the server certificate. If you forward the server's certificate to the client, you will be unable to decrypt the client's traffic later -- unless you can somehow crack the public key, in which case the whole encryption thing is moot anyway.

If you alter the server's certificate to include your own public key, then the CA signature on the certificate won't match, and the client's browser will flag the certificate as invalid.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register