* Jean-Michel besnard <jm-ml@tekkno.net> (besnard@tekkno.net) [030909 12:47]: > Hi, > > On Tue, Sep 09, 2003 at 09:00:28PM +0200, Joerg Rossdeutscher wrote: > > Hi, > > > > Am So, 2003-09-07 um 23.44 schrieb Colin Watson: > > > On Sun, Sep 07, 2003 at 09:46:02PM +0200, Joerg Rossdeutscher wrote: > > > > Am So, 2003-09-07 um 21.11 schrieb Mario Vukelic: > > > > > You probably don't even get security fixes fo NS 4 anymore! > > > > > > > > Uninteresting, since one would use NS4 only with the bank's site. They > > > > don't need to hack me. They own everything I have... :-) > > > > > > Whoa, sure it's interesting. Consider a man-in-the-middle SSL attack: > > > now somebody else owns everything you have. > > You can not really mount a man-in-the-middle attack if the bank's certificate (and therefore the public key contained in it) has been signed by a trusted entity (eg, a CA). > > or maybe I am wrong.... That's what makes it an attack. ISTR an exploit in IE which would allow anyone with a trusted cert to impersonate any other site. For example, if I got a cert for doorstop.net signed by verisign, I could then pull off a MITM and pretend to be amazon.com, thereby grabbing credit card numbers, etc. I may be a bit off base on my recollection of the exploit; I mostly remember just chuckling to myself when I read the CERT alert. =) The whole point is that a buggy browser could make it easy for someone to pull something like this off, wherein the browser might be validating certs incorrectly, or just not warning the user when it failed to validate, or whatnot. good times, Vineet -- http://www.doorstop.net/ -- I am mortified to be told that, in the United States of America, the sale of a book can become a subject of inquiry, and of criminal inquiry too. -- President Thomas Jefferson
Attachment:
pgpQNYK7l6mFX.pgp
Description: PGP signature