-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/01/08 02:10 am, Michal Trojnara wrote:
Just be aware a configuration without any authentication (a certificate is not sent nor verified) is vulnerable to trivial active (MiTM) attacks. There are various lamer-friendly tools available, so an attack is no more difficult than sniffing a plaintext connection.
(I had sent on 1-Dec-2008 but it never showed up on the list. :-( )
<rant> Computer security makes me feel stupid. It has got to be one of the most opaque concepts in the industry. The problems discussed in this thread are typical. sbc/yahoo changed their session setup to require an encrypted connection. Fine. Then they refuse a session if the client offers a certificate without a CA chain, i.e., self-signed. But allows a connection when no client certificate is offered at all. To verify that sbc is really sbc, a CA certificate is needed from sbc. But to get said certificate an extremely obscure method must be used. (And how do I know that the site I connected to is really sbc since I do not have a CA certificate?) Then more obscure file manipulation and setup is required for Stunnel. It is no wonder that computer security is bungled so often. It is set up to do so. I see a lot of "All you have to do is these 247 steps..." to accomplish a "simple" security task. That's assuming I have all of the tools needed. I am sure that, somewhere, there must be a clear discussion of how SSL/TSL certificates work, what the client may provide, what the server may provide, what is necessary to establish a secure, authenticated session. I have not found it. </rant>
- -- jimoe (at) sohnen-moe (dot) com