nlindq at maei.ca
Fri Jun 4 19:01:27 GMT 2004
On 4 Jun 2004 at 8:08, David Klotz wrote:
> Since the list is so slow right now, I'll take this opportunity to ask a
> question: Has anyone ever heard of somebody successfully eavesdropping on a
> validly established HTTPS connection?
> Some term definition: by "successful", I mean snooped encrypted traffic,
> decrypted it, and learned something they didn't already know. "Valid" means
> there was nothing funny going on with the setup of the secure connection. I
> know about MIM attacks, and I know you can trick people into going to "secure"
> sites that aren't what they think they are, but I'm not interested in those
Unless you're talking about a university campus or the like, there's
actually very little real-world eavesdropping that goes on even for
unencrypted connections. Bruce Schneier has talked about how the SSL
infrastructure for websites is pretty much irrelevant because nobody
tries to listen to one connection just to steal a credit card number
or what have you when one could instead break into the webserver and
steal *all* the credit card numbers from the database backend.
That being said, the only way I know of to "listen in" on an
encrypted conversation is to have access to the server's private key
and use something like ssldump, which I don't think is the kind of
thing you're talking about.
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the list