Network Security: Detailed info on Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extension

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security FullDisclosure

[Top] [All Lists]

Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extension

from [Tim] Network Security

[Permanent Link]

Subject:	Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
Date:	Wed, 30 May 2007 06:49:38 -0400

A DNS based man in the middle attack will not work against a SSL
enabled webserver. This is because SSL certificates certify an
association between a specific domain name and an ip address. An
attempted man in the middle attack against a SSL enabled Firefox
update server will result in the browser rejecting the connection to
the masquerading update server, as the ip address in the SSL
certificate, and the ip address returned by the DNS server will not
match.


False.  SSL certificates do not authenticate DNS/IP associations.  They
authenticate public key/DNS associations.  The difference is likely
irrelevant to this issue, but be sure you understand SSL's PKI when you
explain such things, lest you confuse crypto noobs.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More messages with this same subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Christopher Soghoian Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Tim <= Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Ferruh Mavituna Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Steven Adair Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Matthew Murphy Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Joey Mengele Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Dr. Neal Krawetz PhD Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, coderman Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, tx Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Joey Mengele

Previous by Date:	[Full-disclosure] Palimm Palimm, Thierry Zoller
Next by Date:	Re: [Full-disclosure] The Next Super JavaScript Malware - the web has crashed, pdp (architect)
Previous by Thread:	[Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Christopher Soghoian
Next by Thread:	Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions, Ferruh Mavituna
Indexes:	[Date] [Thread] [Top] [All Lists]