| Re: PHP mysql_excape but need to search for those items [message #178401 is a reply to message #178382] |
Thu, 14 June 2012 06:47   |
Arno Welzel
Messages: 317
Registered: October 2011
Karma:
|
Senior Member |
|
|
Jerry Stuckle, 12.06.2012 14:00:
> On 6/12/2012 5:35 AM, Arno Welzel wrote:
>> Jerry Stuckle, 11.06.2012 23:06:
>>
>>> On 6/11/2012 2:38 PM, J.O. Aho wrote:
>> [...]
>>>> Don't forget man in the middle, using https will not protect against
>>>> that.
>>>
>>> Actually, it will. HTTPS transmissions are encrypted between the client
>>> and the server using public/private key encryption. That's the whole
>>> purpose of HTTPS.
>>
>> But only if the client *only* trusts the specific certificate. Otherwise
>> the man in the middle can just set up a proxy which also accepts SSL
>> connections and provides a valid certificate. There have been a number
>> of broken CAs in the past which allowed virtually anyone to create
>> signed and "trusted" certificates for any domain
>
> Setting up a proxy would mean alternations to the domain name servers
> data. Additionally, the certificate either would not match the domain
> name or the certificate would not be signed by a recognized authority
> (which is a good reason to use a trusted certificate).
Nameservers can be compromised - e.g. by cache poisoning.
> I don't know of any broken CAs in the past, but there could have been.
> However, the ones I use won't issue a certificate just to anyone.
And these are?
Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
already got compromised.
Also see:
< http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
< http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
The whole model of trusting CAs and not single certificates (as in SSH)
must be considered broken.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]