|
|
|
|
|
|
by aeternus
2968 days ago
|
|
|
They're not pretending to be Amazon, but they are making their client pretend to talk to an Amazon host, and use the SSL keys of an Amazon-owned host rather than their own. It's more like this: Clear text request: "Hello, I would like to speak TLS with host souq.com and encrypt my connection with a key signed by souq.com" Clear text response: "Why yes, let us do that with these parameters" Encrypted request: "Actually I meant host signal.org, but please route my request anyway since both hosts are being routed by this service. Please ignore the fact that my symmetric key for this connection was encrypted and transmitted using the keypair of souq.com." ---- This is similar to buying a train ticket to a nearby stop, using it to get on the train, then getting off at a different stop because you know they won't check your ticket again. Google and Amazon are now adding an additional ticket check. |
|
|
There's no need for the ticket to match. They're not traveling on any rail segments they weren't supposed to be on.