I know that with SSL/TLS, man in the middle attacks are not possible. For example if Alice and Bob are trying to communicate and Trudy is trying to perform a man in the middle attack, then when Alice gets the public key from Bob (but really it is Trudy tricking Alice), the public key will not match with the certificate authorities and therefore not work.
I know with SSH, only the first connection to a server is possibly open to an active man in the middle attack. This is because during the first connection, the client records the server's public key in $HOME/ssh/known_hosts file. Every connection after that checks this file to make sure the public keys match.
But how does VPN encryption work with connection set-up? Are certificates used for passing the symmetric keys like in SSL/TLS? If not, does this not make VPNs vulnerable to active man in the middle attacks during key exchanges?
Aucun commentaire:
Enregistrer un commentaire