[stunnel-users] Three patches

Michal Trojnara Michal.Trojnara at mirt.net
Mon Jun 7 11:31:14 CEST 2010

Jason Haar wrote:
> The attack you are describing affects every bank in the world running
> HTTPS - and governments are suspected of carrying out these very
> attacks. I don't see banks scurrying around trying to solve it - I think
> it's in the "too hard and I might get killed" basket.

Proposed mechanism is not really an equivalent of HTTPS hostname checks.

First of all HTTPS certificates are not really compared against reverse
DNS queries, but rather against the hostname part of URL.  This makes a
difference, as the attacker should not be able to control URLs within an
SSL session.

Also manual inspection of the hostname contained in the URL is expected to
be performed by the user.  There is a huge difference between connecting
*any* website with a valid certificate, and connecting a specific bank.

Best regards,

More information about the stunnel-users mailing list