Once upon a time, Bruno Wolff III <bruno@xxxxxxxx> said: > On Sun, May 31, 2009 at 13:26:17 -0500, > Chris Adams <cmadams@xxxxxxxxxx> wrote: > > HTTPS with an unknown self-signed cert is barely any more secure than > > unencrypted HTTP, since a man-in-the-middle attack could just be > > replacing the cert and decrypting all communications. > > No it is a much harder attack than snooping. To do man in the middle you need > to be able to take packets out of the stream and redirect them. This needs to > be done in real time and if you guess wrong about whether the other end knows > what the certificate is, people are going to notice you doing it. ISTR if you can snoop you can hijack the TCP session setup by responding first (aren't out-of-window packets ignored?). You don't have to cause the "real" responses to be dropped, you just have to respond faster. > And be sure to note that certificate signed by RSA, Thawte or whoever doesn't > equate to secure either. Unless you have verified the end certificate > yourself you don't know that the organization on the other end is who you > really mean to be talking to. You are trusting that the CAs have done the verification, which they do (to differing degrees). -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
