[stunnel-users] Cannot connect to SBC/yahoo to send (or telnet)
jimoe at sohnen-moe.com
Fri Dec 5 20:28:20 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
On 12/01/08 02:10 am, Michal Trojnara wrote:
> Just be aware a configuration without any authentication (a certificate is
> not sent nor verified) is vulnerable to trivial active (MiTM) attacks.
> There are various lamer-friendly tools available, so an attack is no more
> difficult than sniffing a plaintext connection.
(I had sent on 1-Dec-2008 but it never showed up on the list. :-( )
Computer security makes me feel stupid. It has got to be one of the most
opaque concepts in the industry. The problems discussed in this thread are
sbc/yahoo changed their session setup to require an encrypted
connection. Fine. Then they refuse a session if the client offers a
certificate without a CA chain, i.e., self-signed. But allows a connection
when no client certificate is offered at all.
To verify that sbc is really sbc, a CA certificate is needed from sbc.
But to get said certificate an extremely obscure method must be used. (And
how do I know that the site I connected to is really sbc since I do not
have a CA certificate?) Then more obscure file manipulation and setup is
required for Stunnel.
It is no wonder that computer security is bungled so often. It is set up
to do so.
I see a lot of "All you have to do is these 247 steps..." to accomplish
a "simple" security task. That's assuming I have all of the tools needed.
I am sure that, somewhere, there must be a clear discussion of how
SSL/TSL certificates work, what the client may provide, what the server
may provide, what is necessary to establish a secure, authenticated
session. I have not found it.
jimoe (at) sohnen-moe (dot) com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (OS/2)
-----END PGP SIGNATURE-----
More information about the stunnel-users