[Dshield] 0wnlng Windows machines

Tony Earnshaw tonni at hetnet.nl
Mon Feb 26 20:04:32 GMT 2007

Darren Spruell wrote, on 26. feb 2007 15:37:

>> FWIW use https not for certified authentication, but purely to encrypt
>> all traffic between the site and the client; it is webmail, after all.
> Fair enough, however even the server authentication portion of SSL has
> a tie-in to the encryption portion. With encryption, a primary thing
> you're worried about is confidentiality of the data. Encryption alone
> won't keep your data secret from a third party if that third party can
> perform a man in the middle attack and intercept connections between
> the server and client. The server will happily encrypt data between
> itself and the attacker, and the client will gladly encrypt data
> between itself and the attacker, allowing the attacker to see the
> communication in cleartext. Therefore, your efforts to keep the
> communications secured fall apart. For this reason, validation of the
> server certificate is important to data confidentiality as well - the
> attack fails when the client tries to validate that it is about to
> carry on secure communications with the webmail server and the
> certificate fails to validate properly. (In theory; the effectiveness
> of this measure has a lot to do with the understanding of the client
> that they have a hijacked connection and shouldn't just click yes to
> continue anyway.)

Forgive me, I've read about Bob and Alice too; the only significance of 
the CA certificate that we issue (and that is what is the springing 
point of this thread) is to state who issues it and if that instance can 
be trusted.

It has (and neither has the data transmission) nothing to do with the 
encryption involved or its decryption, we are dealing with asymmetric 
encryption, in which anyone ("man in the middle") not in cognizance of 
the private key can go and hmmm ... fiddle hmmm ... with himself.


Tony Earnshaw
Email: tonni at hetnet dot nl

More information about the list mailing list