Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: SSL/TLS passive sniffing
.

  • To: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
  • Subject: Re: SSL/TLS passive sniffing
  • From: Dirk-Willem van Gulik <[EMAIL PROTECTED]>
  • Date: Wed, 1 Dec 2004 23:12:51 -0800 (PST)
  • Cc: Ben Nagy <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 

On Wed, 1 Dec 2004, Anne & Lynn Wheeler wrote:

> the other attack is on the certification authorities business process

Note that in a fair number of Certificate issuing processes common in
industry the CA (sysadmin) generates both the private key -and-
certificate, signs it and then exports both to the user their PC (usually
as part of a VPN or Single Sing on setup). I've seen situations more than
once where the 'CA' keeps a copy of both on file. Generally to ensure that
after the termination of an employeee or the loss of a laptop things 'can
be set right' again.

Suffice to say that this makes evesdropping even easier.

Dw

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.