SSL Man-in-the-middle

Simon Spero ses at tipper.oit.unc.edu
Tue Sep 26 06:32:16 PDT 1995


Jeff - there are two ways to get the document information right (or wrong).

The first approach is to use redirects to point the client back at the 
original server once you've grabbed whatever info you want for the 
request. Redirects from https -> https don't trigger a warning box. You 
may need to rewrite the URL slightly to prevent loop detection (stick a . 
at the end of the hostname, or add a port, etc. 

The second approach is to only intercept requests for inline images. 
These don't affect the document information window, and give you full 
access to the whole request, which may have user authentication information 
associated with it, in the URL or in  header fields. Image requess can be 
identified reliably through simple traffic analysis.

Simon

Contract with America - Explained!			|Phone: +44-81-500-3000
Contract: verb						|Mail: ses at unc.edu
1) To shrink or reduce in size - the economy contracted +-----------------------
2) To become infected -My baby contracted pneumonia when they stopped my welfare







More information about the cypherpunks-legacy mailing list