From owner-freebsd-security@freebsd.org Mon Sep 26 12:52:44 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 420ABBE6830 for ; Mon, 26 Sep 2016 12:52:44 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E711FE7B for ; Mon, 26 Sep 2016 12:52:43 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm0-x22a.google.com with SMTP id b130so147638805wmc.0 for ; Mon, 26 Sep 2016 05:52:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=i+N5fKLQzlB/0Ns6QV57HEiyExeN8kIluYP7rMzNrm4=; b=BV0hXLR0fSTzGlRlavhStACIYccUsuRcrSGNo0iK1130KKGargsXWCbTbNBx0OvitJ SrjOu2uzCVt33M11hF2KcIJRNZ7jRIe+D20Sw8WTipcTU4TwvTFJcLylND35K3UI2DCm 5y6Hu7nVYJvtVtQ4yQszVpP+igyIADp2jTmilHo67zOUKVld2ZeI7trYKwZ6Cz2ld1X6 5tkgkLO69VAb7G5T2NzUa2jlz1pjiaWVJwQhqOPaxhkzpc/O75YPWxOzidJsQG1b2rr+ fZPfTl5sVlGS1ZPwKw8qLOnKhMxyZfhmpyiRXtT1SAeLpsXJdi8ITLYvnFxW2Pbv2qLA K+wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=i+N5fKLQzlB/0Ns6QV57HEiyExeN8kIluYP7rMzNrm4=; b=WKUaQbheJZQc9cWhnap1hmXBtV5mTaSEmDovd+bVtnHccCw23McclIquvNwgKXovdc 2fDJoln/0pasGYr8C/v0MEKQY3FdCWvTAbHFslgnODFkgVH7Is9/FtyLxuIL6i5UCHNc FvoEx6DOGYJZAvoe+GXBY5TrO5ZNNiD+p/rPDzNtdulUyx1j6/QHKjbwYlFP9lBDFyEq QPtHUjQI32wHyovoyah5JYAPK4GE8RzKZSFE5HBdA5l5ty46jytNYcDX1XTP1/TL828N kc2F3/GWYFlm0wFcxPk14uWNEReAS8xfNHsiEOGMbfXC7uVoC/l85ch3T48fND1mGiu7 DYYw== X-Gm-Message-State: AA6/9RnwQ3ddwjsatvyr0yvfziy8nXZYgpjKZWE7EutMVC3wZ7Q7cue2kax1vlk2PL+/KQ== X-Received: by 10.28.105.18 with SMTP id e18mr13461287wmc.14.1474894362105; Mon, 26 Sep 2016 05:52:42 -0700 (PDT) Received: from gumby.homeunix.com ([81.17.24.158]) by smtp.gmail.com with ESMTPSA id f69sm11111896wmg.19.2016.09.26.05.52.40 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 26 Sep 2016 05:52:41 -0700 (PDT) Date: Mon, 26 Sep 2016 13:52:38 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: Two Dumb Questions Message-ID: <20160926135238.6296ddc2@gumby.homeunix.com> In-Reply-To: <32084.1474872154@segfault.tristatelogic.com> References: <32084.1474872154@segfault.tristatelogic.com> X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.29; amd64-portbld-freebsd10.3) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2016 12:52:44 -0000 On Sun, 25 Sep 2016 23:42:34 -0700 Ronald F. Guilmette wrote: > Here's my point: If you really have already managed to become > the man-in-the-middle anyway, then couldn't you just dummy up > any and all responses, including those for DNS, in such a way > as to make it all appear to the victim that everything was > "normal", you know, such that he can see the cute little > padlock symbol to the left of the URL in the browser? There's a simple paint analogy here: https://en.wikipedia.org/wiki/Diffie=E2=80=93Hellman_key_exchange that illustrates how it's possible to exchange a shared secret without an eavesdropper knowing what it is. The shared secret can then be used for symmetric encryption using something like AES. Actual protocols use public key cryptography so it can be established that the exchange is end to end, and not broken into two separate exchanges.