[ProgSoc] this is a test, please ignore

Nicholas FitzRoy-Dale wzdd at progsoc.org
Mon Nov 3 22:17:44 EST 2008


On 03/11/2008, at 5:59 PM, John Elliot wrote:
> I was reading this article "Mozilla SSL policy bad for the Web" [1]  
> this
> evening. I agree with the author's point.
>
> One thing that would lend particular credence to his point, and
> something he didn't mention, is that it is becoming common for network
> equipment to hi-jack outbound SSL connections and proxy them.

I think you and that article's author are talking about basically  
opposite points. The article is in favour of transparently accepting  
self-signed certs, which makes the sort of man-in-the-middle attack  
you just describe considerably less opaque.

EG I'm an evil guy with a proxy (true so far). Whenever someone makes  
an SSL connection to me I intercept the connection, create my own self- 
signed cert for the site, and steal your credit card details (only  
hypothetically true). If this guy has his way then the browser will  
accept my self-signed cert without complaining. If you have your way  
too then the browser would display "microsoft.com (self-signed)"  
somewhere.

This MITM attack is made more troublesome by virtual hosting, but not  
much more troublesome because I am also monitoring your non-SSL  
traffic. So if your 37 most recent requests were to store.apple.com  
then I can probably guess when you make an encrypted connection that  
your SSL destination is store.apple.com and not hotlinuxnerds.com,  
even if those two sites share the same IP.

The maths behind SSL is hard (but that's OK, someone has already  
worked it out). The implementation of that maths in browsers is easy  
(this is what we have so far). But getting the user interface right is  
really hard.

Nicholas




More information about the Progsoc mailing list