[Vortex] TLS + SASL auth ?
Francis Brosnan Blazquez
francis at aspl.es
Thu May 11 19:16:20 CEST 2006
El jue, 11-05-2006 a las 18:45 +0200, milton.yates at loule.info escribió:
Hi Milton!
> --> this is to prevent man in the middle attacks, where a man in the
> middle would present to the client a random TLS certificate, and the
> client would trust him and send its authentication credentials, for
> example in PLAIN SASL... then the attacker would have gained these
> credentials.
Nice explanation. In fact, as you note, this is the only situation that
would make the tandem TLS_ANONYMOUS+SASL to fail as security solution
(as the secure web servers fail by phising).
I've added this comments to the bug report [1]
Cheers!
[1] http://dolphin.aspl.es/cgi-bin/bugzilla/show_bug.cgi?id=316
--
Francis Brosnan Blazquez <francis at aspl.es>
Advanced Software Production Line, S.L.
More information about the Vortex
mailing list