spoof rsa fingerprint
Gordon Messmer
yinyang at eburg.com
Tue Nov 17 16:33:34 UTC 2009
On 11/17/2009 04:53 AM, Patrick O'Callaghan wrote:
>
> It's my understanding that the password would still be sent over an
> encrypted channel (using the original host's public key), so I don't see
> the problem.
>
There is no original host in the hypothesized scenario. There's an
attacker whose public key has a fingerprint that matches the original
host. The victim connects to the attacker instead of the original
host. Since the original host isn't involved, the original host's key
won't be either.
However, as previously stated, this is extraordinarily difficult by design.
More information about the users
mailing list