SSL Question
Hi,
I have a browser client that talks to a servlet using mutual authenication over SSL/HTTPS. This I believe secures the application against man in the middle type of attacks but am I right in assuming that this traffic could be intercepted by a local http proxy on the client machine - possibly changed and then sent onto the servlet?
If this is possible is there someway to provide message level security to the traffic?, the data is quite sensitive and the most likely form of attack is from someone attempting to masquarade as another user after login stage.
Thanks.
[596 byte] By [
TK009a] at [2007-11-27 10:45:26]
# 1
The proxy can only participate in the plaintext if it is a trusted endpoint to both the client and the server, in the same way that client and server trust each other. Otherwise all it is seeing is ciphertext and it can't do anything with that without tamper-evidence.
ejpa at 2007-7-28 20:12:56 >
# 3
> I believe SSL offers transport layer security but does nothing to secure the message.
What would that mean if it didn't imply encryption?
The HTTP CONNECT message is passed in plaintext. The remainder of the conversation occurs in ciphertext.
ejpa at 2007-7-28 20:12:56 >
# 5
Then your proxy is a trusted endpoint to one of the real endpoints and is talking plaintext to the other endpoint for some reason. Obviously your system is not secure. At this point you should hiire a security consultant.
> Does the encryption not take place at the external network card/interface level
The encryption takes place inside each endpoint host. Unless you have a hardware crypto accelerator it happens in software. In any case it happens way before the NIC gets to see it.
ejpa at 2007-7-28 20:12:56 >
