Re: Root certificates in server certificate chains

Matt McCutchen wrote:
> 
> What attack are you describing?  If the attacker replaces the entire
> Certificate message with one containing his public key chained to a
> bogus root certificate, that is just a MITM attack.  If the attacker
> does some tampering but does not replace the server's public key with
> his own, he has no way to generate valid Finished messages.

At the TLS level, this is not a MitM attack.
TLS (at least when no old/vulnerable renegotiation can be coerced)
reliably protects against MitM.  What you're describing, if it
succeeds at the TLS level, is a TLS server impersonation, and
unless the the server has somehow acquired the real servers
credentials, could only happen if the clients method to
identify (or authenticate) the server is fatally flawed.

At the application(!) level, the attack might might still
be an MitM attack.  It does not necessarily require an
TLS-encrypted communication channel between the impersonating
server and the real server. 

-Martin