obfuscation@beta.freedom.net wrote:
On Sat, 18 Nov 2000 obfuscation@beta.freedom.net wrote:
Bram Cohen <bram@gawth.com> writes:
Unless that problem is fixed, man in the middle is hardly made more difficult - for example, Mallory could break into some random machine on the net and steal it's public key, then hijack local DNS and when someone goes to amazon.com redirect them to amazon.hackeddomain.com, and then proxy to amazon.com - now even SSL says the connection is safe.
Are you sure that works? I would think the SSL client would do a connection to the URL the user typed, www.amazon.com, and check the name in the cert to see if it (approximately) matches.
When the user goes to www.amazon.com, they get a plaintext http redirect to amazon.hackeddomain.com, which does check.
Still confused...
The original connection to www.amazon.com is an SSL connection, right? We are following an https: URL? (Otherwise, SSL would not even come into the picture.)
If you do a DNS hack to redirect www.amazon.com to amazon.hackeddomain.com, the latter site will not be able to complete SSL handshaking without triggering a browser warning, will it?
[snip]
So it looks to me like the SSL protocol will not allow the redirection attack to work without triggering a user alert, unless there is some subtlety here...
Definitely depends on the implementation, and perhaps browser settings.