WebApp Sec mailing list archives
RE: IIS log - GETs vs. POSTs
From: RSnake <rsnake () shocking com>
Date: Mon, 1 Sep 2003 10:24:06 -0700 (PDT)
That is incorrect. Here is the transactional model: Client hello -> <- Server hello <- Server certificate <- serverHelloDone ClientKeyExchange E(Kserv, PK) -> ChangeCipherSpec -> FIN Handshake (MAC) -> <- ChangeCipherSpec <- FIN Hanshake (MAC) Application_data HTTP request -> (GET /?data HTTP/1.0\n\n) <- Application_data HTTP response (HTTP/1.1 200 OK\n...) Alert : close_notify -> <- Alert : close_notify Please ref RFC2817 and RFC2818. It is possible to break SSL/TLS, however usually it's computationally/fiscally unfeasible, as it can be difficult to get access to a machine that routes traffic to the victim server in question, as the level of security usually (read: we hope) goes up as you get closer to a secured machine (Data center). Also the dollars spent to break a single session often exceed the actual dollar value of the data recovered. In addition there can be potential leaking of information as you get closer to the server in question, and can use chain of command type cryptanalisis to extrapolate more information from a host. IE: people who log into a secure site for some fatal disease are more likely to be afflicted by it, regardless of the fact that you cannot see actual plaintext. This is really more of a concern for those governed by HIPPA and internal government auditing, than joe-shmoe's e-commerce site. Generally speaking this should not be a concern. I just want to reiterate, man in the middle attacks are one of the smallest threats out there at the time of this email, because they have nearly stopped in proliferation, compared to going directly after the server in question, which usually yields better results anyway. But even still, I would never build an enterprise solution without using it. It's all about risk mitigation, right? On Mon, 1 Sep 2003, Calderon, Juan C (EM, DDEMESIS) wrote: | Date: Mon, 1 Sep 2003 10:23:11 -0400 | From: "Calderon, Juan C (EM, DDEMESIS)" <Juan.Calderon () ge com> | To: RSnake <rsnake () shocking com>, Lucas Holt <luke () foolishgames com> | Cc: Jeremy Poteet <lists () appdefense com>, | WebAppSec <webappsec () securityfocus com> | Subject: RE: IIS log - GETs vs. POSTs | | As far as I know. | | Other implication of sending information trough HTTP GET is that SSL do | not encrypt (protect) it, only the bytes flow (POST data) as encrypted. | so sending information though URL using SSL is useless. | | Correct me if i'm wrong. | | cheers :) | -R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- Fw: IIS log - GETs vs. POSTs Matt Fisher (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Lucas Holt (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 31)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- <Possible follow-ups>
- RE: IIS log - GETs vs. POSTs Calderon, Juan C (EM, DDEMESIS) (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs Guille -bisho- (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)