[Vortex] TLS + SASL auth ?

Francis Brosnan Blazquez francis at aspl.es
Thu May 11 19:16:20 CEST 2006

El jue, 11-05-2006 a las 18:45 +0200, milton.yates at loule.info escribió:

Hi Milton!

> --> this is to prevent man in the middle attacks, where a man in the
> middle would present to the client a random TLS certificate, and the
> client would trust him and send its authentication credentials, for
> example in PLAIN SASL... then the attacker would have gained these
> credentials.

Nice explanation. In fact, as you note, this is the only situation that
would make the tandem TLS_ANONYMOUS+SASL to fail as security solution
(as the secure web servers fail by phising).

I've added this comments to the bug report [1]


[1] http://dolphin.aspl.es/cgi-bin/bugzilla/show_bug.cgi?id=316

Francis Brosnan Blazquez <francis at aspl.es>
Advanced Software Production Line, S.L.

More information about the Vortex mailing list