Robin Vickery wrote:
How about if the third party can control one side of the transaction
by altering the javascript that implements it while in transit - for
instance by adding a couple of lines that transmit the key to the
third party after the key exchange?
If the algorithm written in JavaScript is both trusted and installed
beforehand (like SSL libs)....
You're right though. Without having some trust mechanism, the whole
thing could collapse. In fact, if you're using Diffie-Hellman, and have
a third party in the middle that is capable of altering data, they don't
even have to alter the code. They can simply use the man-in-the-middle
attack, and I don't think anyone would bother writing certificate
handling functions in JavaScript to authenticate each party. :-)
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
