[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Ralph Holz holz at net.in.tum.de
Tue Feb 14 15:13:11 EST 2012


>> If all users used a tool like Crossbear that does automatic reporting,
>> yes.
> Not really -- and this I think goes to the root of why what was done here
> is so evil.

[... many correct things omitted, sorry ...]

> It is not so hard really to see the conceptual difference between the two
> cases.  But to tools like Crossbear, they basically look the same.

Why? Crossbear sends the full certificate chain it sees to the CB
server, where it is compared with the full chain that the CB server sees
(plus a few more servers, too, actually, that it can ask). Convergence,
AFAICT, does the same. If you're inside the corporate network, the
certificate chain in the SSL handshake cannot be the same, and both
systems will detect them.

Where Crossbear goes further is that it will now start requesting
traceroutes from participating systems to find out where in the network
the Mitm is.


Ralph Holz
Network Architectures and Services
Technische Universität München
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120214/32a3d943/attachment.asc>

More information about the cryptography mailing list