>>>>> "Martin" == Martin Rex <[log in to unmask]> writes:
Martin> Klaas Wierenga wrote:
>>
> On 5/26/10 8:28 PM, Sam Hartman wrote:
> >
> > 1) The IDP MUST verify that channel binding data is asserted by the
>> > expected RP and has been modified by no other party
>> >
>> > 2) The client MUST verify that the channel binding data
>> corresponds to > the channel that is in use.
>> >
>> > Those two are enough that the user will learn through the web
>> browser if > the connection is under attack. However, the that's
>> not enough to > defend against a server that fakes successful
>> authentication or to learn > at the SASL protocol level about a
>> channel binding failure.
>>
>> Just to understand, what does channel binding buy you if you
>> still can not prevent the MiTM?
Ah, I think I finally understand the question.
So, the channel binding does detect the MITM, but the question is how is
this communicated and to whom.
the two changes above are sufficient that the user would get an
authentication failure error in the browser. However it's not
sufficient that the client application would be able to learn of this
failure without somehow parsing the web page. The other changes I
proposed were sufficient for both the web browser and the client
application to learn of the attack.
|