|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alex Alten (Alten
home.com)Date: Fri Jan 05 2001 - 21:48:09 CST
At 10:07 PM 1/5/2001 +0100, Daniel Roethlisberger wrote:
>
>>> A rumor over on the ipsec mailing list mentions that there is
>>> a sniff tool that can crack SSL. Would anyone here know anything
>>> at all about this? Is there a man-in-the-middle attack that
>>> doesn't require a trusted server certificate?
>
>-snip-
>
>It all boils down to: you do not need a trusted server
>certificate, but if you are using an untrusted cert, some clients
>(browsers) may pop up a window asking the user whether the cert
>is ok to use, while some other clients don't allow communicating
>with untrusted servers.
>
I guess things would get real interesting if the private key to a trusted
intermediate or root certificate authority got stolen and published. It
might take a while to update all the browsers out there to not accept it
as a valid signer of server certificates.
- Alex
--Alex Alten
Alten
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]