Full Disclosure mailing list archives
Re: New Vulnerability against Firefox/ Major Extensions
From: Tim <tim-security () sentinelchicken org>
Date: Wed, 30 May 2007 06:49:38 -0400
A DNS based man in the middle attack will not work against a SSL enabled webserver. This is because SSL certificates certify an association between a specific domain name and an ip address. An attempted man in the middle attack against a SSL enabled Firefox update server will result in the browser rejecting the connection to the masquerading update server, as the ip address in the SSL certificate, and the ip address returned by the DNS server will not match.
False. SSL certificates do not authenticate DNS/IP associations. They authenticate public key/DNS associations. The difference is likely irrelevant to this issue, but be sure you understand SSL's PKI when you explain such things, lest you confuse crypto noobs. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New Vulnerability against Firefox/ Major Extensions Christopher Soghoian (May 29)
- Re: New Vulnerability against Firefox/ Major Extensions Tim (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Ferruh Mavituna (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Steven Adair (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Matthew Murphy (May 30)
- <Possible follow-ups>
- Re: New Vulnerability against Firefox/ Major Extensions Joey Mengele (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Dr. Neal Krawetz PhD (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions coderman (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions tx (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Dr. Neal Krawetz PhD (May 30)
- Re: New Vulnerability against Firefox/ Major Extensions Joey Mengele (May 30)