I'd like to get rid of pulseaudio but ... (Gene Heskett)
Chris Adams
cmadams at hiwaay.net
Mon Jun 1 19:01:54 UTC 2009
Once upon a time, Bruno Wolff III <bruno at wolff.to> said:
> On Sun, May 31, 2009 at 13:26:17 -0500,
> Chris Adams <cmadams at hiwaay.net> wrote:
> > HTTPS with an unknown self-signed cert is barely any more secure than
> > unencrypted HTTP, since a man-in-the-middle attack could just be
> > replacing the cert and decrypting all communications.
>
> No it is a much harder attack than snooping. To do man in the middle you need
> to be able to take packets out of the stream and redirect them. This needs to
> be done in real time and if you guess wrong about whether the other end knows
> what the certificate is, people are going to notice you doing it.
ISTR if you can snoop you can hijack the TCP session setup by responding
first (aren't out-of-window packets ignored?). You don't have to cause
the "real" responses to be dropped, you just have to respond faster.
> And be sure to note that certificate signed by RSA, Thawte or whoever doesn't
> equate to secure either. Unless you have verified the end certificate
> yourself you don't know that the organization on the other end is who you
> really mean to be talking to.
You are trusting that the CAs have done the verification, which they do
(to differing degrees).
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the fedora-list
mailing list