[cryptography] trustwave admits issuing corporate mitm certs

Marsh Ray marsh at extendedsubset.com
Wed Feb 29 21:46:33 EST 2012


On 02/28/2012 10:42 AM, Marsh Ray wrote:
>
> By forcing the phishing attack to involve the legitimate site, it does
> one other thing: it puts the site in a position to require strong mutual
> authentication.

Let me clarify one little detail: web browsers will still send the HTTP 
request (including form POST data) to a PKI-enabled MitM. The MitM 
simply doesn't request (or doesn't validate) the client cert in the 
handshake.

The legitimate site only gets to detect the MitM before deciding whether 
or not to process the request and send a response.

- Marsh



More information about the cryptography mailing list