Re: [squid-users] squid and CA

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 27 Oct 2001 11:59:00 +0200

Not more than what you can do on any network equipment.

SSL has a couple of weknesses in older browsers, allowing a middle man
to downgrade the encryption and similar issues, making it a lot easier
to brute-force crack the encryption keys.

If traffic is redirected to another SSL server, browsers will at least
complain on mismatch in name between the server and it's certificate or
on the certificate beins self signed. If users select to continue anyway
they are on their own and quite likely many will at least on for the
user non-important sites... (users tend to always press OK on any dialog
box they see, no matter what it says...).

If the middle man has access to the servers private key, or has managed
to fool another CA into creating a incorrecly issued certificate for the
same domain, then he can do mostly anything he wants with the trafic
without anyone noticing..

Regards
Henrik Nordström
Squid Hacker

Rick Francis wrote:
>
> can hijacking, injecting techniques be used against packets on a squid
> server that are encrypted from a recognized CA?
Received on Sat Oct 27 2001 - 04:13:46 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:10 MST