What *are* they smoking?

Steven M. Bellovin smb at research.att.com
Tue Sep 16 01:25:29 UTC 2003


It's bad enough now; it could be even worse.  They could respond on 
port 443, too, with a legitimate-seeming certificate -- they're 
*Verisign*, the leading certficate authority.

In the security world, we call this a man- (or monkey-)in-the-middle
attack, for which the standard defense is crypto.  But that doesn't 
work well when your trusted third party is part of the threat model...


		--Steve Bellovin, http://www.research.att.com/~smb





More information about the NANOG mailing list