Re: Are client side certificates good enough against phising?

[Marc-André Laverdière <marc-andre () atc tcs com>]

Hello,

In a MITM attack, the attacker can do pretty much anything. The client
certificates wouldn't save you.

Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India

On Saturday 05 February 2011 01:55 AM, Marcel Constantopulos wrote:
> Hi,
>
> This is my first post on the list, and I'm very happy that I've found you.
> I was wondering if the client side certificates are good enough
> against phishing.
>
> Can an attacker use what he receives from the victim to impersonate as
> the victim?
>
> I do not know exactly how the client-server authentification works, I
> assume that the web-server asks for the client to have the certificate
> by asking it to sign one random sequence of numbers/text, and then the
> server authenticates the client with the client's public key.
>
> If the above is true, I guess that a hacker/thief would initiate first
> the comunication from the server, and then pass on the request to the
> victime, and afterwards using what he receives from the victime to
> authenticate himself against the server.
>
> It might be a bit simplistic the way I think, cause I do not have that
> much experience with SSL. I know a bit about the SSL handshake...
>
> Thank you,
> Marcel
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now! 
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------