RE: Self-signed key verses Verisign or Thawte

Subject: RE: Self-signed key verses Verisign or Thawte
From: Mike Barsalou (mbarsalou@aidea.org)
Date: Wed Jul 17 2002 - 16:29:18 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: W. D. McKinney: "(no subject)"
• Previous message: civileme: "Re: Self-signed key verses Verisign or Thawte"
• Maybe in reply to: Mike Barsalou: "Self-signed key verses Verisign or Thawte"
• Next in thread: Matthew Schumacher: "Re: Self-signed key verses Verisign or Thawte"
• Maybe reply: Mike Barsalou: "RE: Self-signed key verses Verisign or Thawte"
• Reply: Mike Barsalou: "RE: Self-signed key verses Verisign or Thawte"

Don't still have to be physically in the middle for this to work? You said
you can be man in the middle for anyone...isn't that a physical
impossibility? Unless all traffic is routed through you?

I can see that if you are on the same cable network as me, then this would
be a potential problem for me specifically, but not for the guy who lives in
Japan and is trying to reach Norway...most likely no packets routed through
the USA.

Or am I way off base here?

Mike
-----Original Message-----
From: civileme [mailto:civileme@mandrakesoft.com]
Sent: Wednesday, July 17, 2002 4:25 PM
To: Mike Barsalou; 'aklug@aklug.org'
Subject: Re: Self-signed key verses Verisign or Thawte

On Wednesday 17 July 2002 02:12 pm, Mike Barsalou wrote:
> Can someone explain the advantage of having a Certificate from Verisign or
> Thawte over having one self-signed?
>
> Mike
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.

The verification from an independent agency means you do not have to be
concerned about the "man-in-the-middle". Thus attack has been around
actually since TCP sniffing. With an unencrypted connection, you pretend to

be the client to the server and pretend to be the server to the client,
closing and re-opening TCP connections with different sequencing windows.
It
is detectable on short hops by an "ACK storm" as the server and client
reject
the (to them) out of sequence messages. This desyncronization will work
rather well if there are sufficient hops to absorb all the ACKs.

Using readily available libs (libpcap, libnet, libnids) and some easily
available test software, I can snatch unencrypted stuff from almost anyone
as
long as I have a few hops between them and me and between the server and me.

I can also snatch encrypted stuff. All I have to do is get in the middle,
close the windows, reopen them with different keys, and present my
"self-signed certificate" to say I am the server in which they are
interested. As long as I pretend to be the user to the server and the
server
to the user, and the user accepts my certificate, I can pass encrypted data,

decrypting it in the middle, because I have passed both of the folks MY key,

conveniently borrowed from some other secure server, and snarfing the odd
password or credit card number.

Now I cannot duplicate the Signature certificate for Verisign or Thawte
because there is a manual process involved to make it and communication with

a third party to verify it.

But this is why it is much more risky to use ssh or ssl against a
self-signed
certificate.

Civileme

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: W. D. McKinney: "(no subject)"
• Previous message: civileme: "Re: Self-signed key verses Verisign or Thawte"
• Maybe in reply to: Mike Barsalou: "Self-signed key verses Verisign or Thawte"
• Next in thread: Matthew Schumacher: "Re: Self-signed key verses Verisign or Thawte"
• Maybe reply: Mike Barsalou: "RE: Self-signed key verses Verisign or Thawte"
• Reply: Mike Barsalou: "RE: Self-signed key verses Verisign or Thawte"

This archive was generated by hypermail 2a23 : Wed Jul 17 2002 - 16:32:23 AKDT