full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] New Vulnerability agai

Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions

From: Tim <tim-security_at_nospam>
Date: Wed May 30 2007 - 10:49:38 GMT
To: Christopher Soghoian <csoghoian@gmail.com>

> A DNS based man in the middle attack will not work against a SSL
> enabled webserver. This is because SSL certificates certify an
> association between a specific domain name and an ip address. An
> attempted man in the middle attack against a SSL enabled Firefox
> update server will result in the browser rejecting the connection to
> the masquerading update server, as the ip address in the SSL
> certificate, and the ip address returned by the DNS server will not
> match.

False. SSL certificates do not authenticate DNS/IP associations. They authenticate public key/DNS associations. The difference is likely irrelevant to this issue, but be sure you understand SSL's PKI when you explain such things, lest you confuse crypto noobs.

tim



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/