spoof rsa fingerprint
Patrick O'Callaghan
pocallaghan at gmail.com
Tue Nov 17 17:24:00 UTC 2009
On Tue, 2009-11-17 at 08:33 -0800, Gordon Messmer wrote:
> On 11/17/2009 04:53 AM, Patrick O'Callaghan wrote:
> >
> > It's my understanding that the password would still be sent over an
> > encrypted channel (using the original host's public key), so I don't see
> > the problem.
> >
>
> There is no original host in the hypothesized scenario. There's an
> attacker whose public key has a fingerprint that matches the original
> host. The victim connects to the attacker instead of the original
> host. Since the original host isn't involved, the original host's key
> won't be either.
No, the OP's scenario is that there *was* an original host, which
presumably set up the key pair and established a fingerprint. That's the
assumption behind everything I've been saying.
poc
More information about the users
mailing list