Anders Rundgren wrote:
[...] There is though a general weakness in schemes that do not terminate the client-side in the SSL channel [...] this deficiency is eliminated by "targeting" the client-side operation for the site and certificate in the server-end. By doing that the receiver (server), can immediately detect if the operation has gone through a phishing proxy or not. It is an extra test to do but rather simple.
They are indeed tricks to enhance the situation and try to detect that the currently connected client is subject to a MITM attack, but it doesn't resolve the problem entirely. It is still theoretically possible for the MITM attacker to adapt to this and to modify on the fly the dynamic content that implements the check to circumvent it. You could take all weaknesses and solve them one by one, but you'd end up having implemented a new secure channel on top of the HTTP connexion.
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
