IDS mailing list archives

RE: SSL and IPS (was RE: ssh and ids)

From: <Peter_Schawacker () NAI com>
Date: Thu, 1 Jul 2004 22:07:12 -0700

Mike,

Concerning your challenge, here's the decrypted URL:

        https://www.cryptolinux.org/kudzu

The page is no longer there, but it looks like it contained the page
source for the CryptoLinux homepage and an article about kudzu.  The
beginning of the page's source is below. If you have any further
questions or comments on this, let's take it off list.

   0x0000: 3c 48 54 4d 4c 3e 3c 48  [<HTML><H]
   0x0008: 45 41 44 3e 0a 3c 54 49  [EAD>.<TI]
   0x0010: 54 4c 45 3e 43 79 72 70  [TLE>Cyrp]
   0x0018: 74 6f 4c 69 6e 75 78 20  [toLinux ]
   0x0020: 2d 20 4c 69 6e 75 78 43  [- LinuxC]
   0x0028: 72 79 74 6f 20 2d 20 43  [ryto - C]
   0x0030: 72 79 70 74 6f 67 72 61  [ryptogra]
   0x0038: 70 68 79 20 6f 6e 20 4c  [phy on L]
   0x0040: 69 6e 75 78 3c 2f 54 49  [inux</TI]
   0x0048: 54 4c 45 3e 0a 3c 4d 45  [TLE>.<ME]
   0x0050: 54 41 20 6e 61 6d 65 3d  [TA name=]
   0x0058: 22 64 65 73 63 72 69 70  ["descrip]
   0x0060: 74 69 6f 6e 22 20 63 6f  [tion" co]
   0x0068: 6e 74 65 6e 74 3d 22 57  [ntent="W]
   0x0070: 65 6c 63 6f 6d 65 20 74  [elcome t]
   0x0078: 6f 20 43 72 79 70 74 6f  [o Crypto]
   0x0080: 4c 69 6e 75 78 2e 20 20  [Linux.  ]
   0x0088: 54 68 69 73 20 69 73 20  [This is ]
   0x0090: 61 20 72 65 73 6f 75 72  [a resour]
   0x0098: 63 65 0a 73 69 74 65 20  [ce.site ]
   0x00a0: 66 6f 72 20 61 6c 6c 20  [for all ]
   0x00a8: 74 68 69 6e 67 20 63 72  [thing cr]
   0x00b0: 79 70 74 6f 67 72 61 70  [yptograp]
   0x00b8: 68 69 63 20 6f 6e 20 4c  [hic on L]
   0x00c0: 69 6e 75 78 2e 22 3e 0a  [inux.">.]
   0x00c8: 3c 4d 45 54 41 20 6e 61  [<META na]
   0x00d0: 6d 65 3d 22 6b 65 79 77  [me="keyw]
   0x00d8: 6f 72 64 73 22 20 63 6f  [ords" co]
   0x00e0: 6e 74 65 6e 74 3d 22 4c  [ntent="L]
   0x00e8: 69 6e 75 78 2c 20 43 72  [inux, Cr]
   0x00f0: 79 70 74 6f 67 72 61 70  [yptograp]
   0x00f8: 68 79 2c 20 43 72 79 70  [hy, Cryp]
   0x0100: 74 6f 67 72 61 70 68 69  [tographi]
   0x0108: 63 2c 20 4c 69 6e 75 78  [c, Linux]
   0x0110: 20 4f 53 2c 0a 4c 69 6e  [ OS,.Lin]
   0x0118: 75 78 20 6f 70 65 72 61  [ux opera]
   0x0120: 74 69 6f 6e 20 73 79 73  [tion sys]
   0x0128: 74 65 6d 22 3e 0a 3c 2f  [tem">.</]
   0x0130: 48 45 41 44 3e 0a 3c 42  [HEAD>.<B]
   0x0138: 4f 44 59 20 42 41 43 4b  [ODY BACK]
   0x0140: 47 52 4f 55 4e 44 3d 2f  [GROUND=/]
   0x0148: 62 61 63 6b 67 72 6f 75  [backgrou]
   0x0150: 6e 64 73 2f 70 61 70 65  [nds/pape]
   0x0158: 72 2f 62 6c 75 65 5f 70  [r/blue_p]
   0x0160: 61 70 65 72 2e 67 69 66  [aper.gif]
   0x0168: 20 42 47 43 4f 4c 4f 52  [ BGCOLOR]
   0x0170: 3d 22 23 46 46 46 46 46  [="#FFFFF]
   0x0178: 46 22 20 54 45 58 54 3d  [F" TEXT=]
   0x0180: 22 23 30 30 30 30 30 30  ["#000000]
   0x0188: 22 20 4c 49 4e 4b 3d 22  [" LINK="]
   0x0190: 23 30 30 30 30 46 46 22  [#0000FF"]
   0x0198: 20 41 4c 49 4e 4b 3d 22  [ ALINK="]
   0x01a0: 23 46 46 30 30 30 30 22  [#FF0000"]
   0x01a8: 20 56 4c 49 4e 4b 3d 22  [ VLINK="]
   0x01b0: 23 35 35 31 41 38 42 22  [#551A8B"]
   0x01b8: 3e 0a 3c 69 6d 67 20 73  [>.<img s]
   0x01c0: 72 63 3d 22 2f 63 72 79  [rc="/cry]
   0x01c8: 70 74 6f 5f 74 75 78 5f  [pto_tux_]
   0x01d0: 6c 2e 67 69 66 22 20 61  [l.gif" a]
   0x01d8: 6c 69 67 6e 3d 6c 65 66  [lign=lef]
   0x01e0: 74 3e 0a 3c 69 6d 67 20  [t>.<img ]
   0x01e8: 73 72 63 3d 22 2f 63 72  [src="/cr]
   0x01f0: 79 70 74 6f 5f 74 75 78  [ypto_tux]
   0x01f8: 5f 72 2e 67 69 66 22 20  [_r.gif" ]
   0x0200: 61 6c 69 67 6e 3d 72 69  [align=ri]
   0x0208: 67 68 74 3e 0a 3c 43 65  [ght>.<Ce]
   0x0210: 6e 74 65 72 3e 0a 3c 48  [nter>.<H]
   0x0218: 31 3e 43 72 79 70 74 6f  [1>Crypto]
   0x0220: 4c 69 6e 75 78 20 2d 20  [Linux - ]
   0x0228: 4c 69 6e 75 78 43 72 79  [LinuxCry]
   0x0230: 70 74 6f 3c 2f 48 31 3e  [pto</H1>]
   0x0238: 0a 3c 48 32 3e 41 6c 6c  [.<H2>All]
   0x0240: 20 54 68 69 6e 67 73 20  [ Things ]
   0x0248: 43 72 79 70 74 6f 67 72  [Cryptogr]
   0x0250: 61 70 68 69 63 20 6f 6e  [aphic on]
   0x0258: 20 4c 69 6e 75 78 3c 2f  [ Linux</]
   0x0260: 48 32 3e 0a 3c 48 52 3e  [H2>.<HR>]
   0x0268: 0a 50 6c 65 61 73 65 20  [.Please ]
   0x0270: 65 78 63 75 73 65 20 6f  [excuse o]
   0x0278: 75 72 20 64 75 73 74 2e  [ur dust.]
   0x0280: 2e 2e 20 20 54 68 69 73  [..  This]
   0x0288: 20 73 69 74 65 20 68 61  [ site ha]
   0x0290: 73 20 6a 75 73 74 20 6f  [s just o]
   0x0298: 70 65 6e 65 64 20 61 6e  [pened an]
   0x02a0: 64 20 74 68 65 20 70 61  [d the pa]
   0x02a8: 67 65 73 20 61 72 65 0a  [ges are.]
   0x02b0: 73 74 69 6c 6c 20 75 6e  [still un]
   0x02b8: 64 65 72 20 6d 61 6a 6f  [der majo]
   0x02c0: 72 20 63 6f 6e 73 74 72  [r constr]
   0x02c8: 75 63 74 69 6f 6e 2e 3c  [uction.<]
   0x02d0: 42 52 20 43 4c 45 41 52  [BR CLEAR]
   0x02d8: 3d 41 4c 4c 3e 0a 3c 48  [=ALL>.<H]
   0x02e0: 52 3e 0a 3c 2f 43 65 6e  [R>.</Cen]
   0x02e8: 74 65 72 3e 0a 3c 50 52  [ter>.<PR]
   0x02f0: 45 3e 0a 3d 3d 3d 3d 3d  [E>.=====]
   0x02f8: 3d 3d 3d 3d 3d 3d 3d 3d  [========]
   0x0300: 3d 3d 3d 3d 3d 3d 3d 3d  [========]
   0x0308: 3d 3d 3d 3d 3d 3d 3d 3d  [========]
   0x0310: 3d 3d 3d 3d 3d 3d 3d 3d  [========]
   0x0318: 3d 3d 3d 3d 3d 3d 3d 3d  [========]
   0x0320: 3d 3d 3d 3d 3d 3d 3d 3d  [========]
   0x0328: 3d 3d 3d 3d 3d 3d 3d 3d  [========]
   0x0330: 3d 3d 3d 3d 0a 0a 20 20  [====..  ]
   0x0338: 20 20 20 20 20 20 50 68  [      Ph]
   0x0340: 6f 74 6f 63 6f 70 69 65  [otocopie]
   0x0348: 73 20 6f 66 20 74 68 69  [s of thi]
   0x0350: 73 20 68 61 76 65 20 62  [s have b]
   0x0358: 65 65 6e 20 20 6b 69 63  [een  kic]
   0x0360: 6b 69 6e 67 20 61 72 6f  [king aro]
   0x0368: 75 6e 64 20 6f 75 72 20  [und our ]
   0x0370: 20 6f 66 66 69 63 65 0a  [ office.]
   0x0378: 66 6f 72 20 20 61 67 65  [for  age]
   0x0380: 73 2e 20 20 20 49 74 20  [s.   It ]
   0x0388: 20 68 61 73 20 6e 6f 20  [ has no ]
   0x0390: 61 75 74 68 6f 72 27 73  [author's]
   0x0398: 20 6e 61 6d 65 20 61 74  [ name at]
   0x03a0: 74 61 63 68 65 64 20 6f  [tached o]
   0x03a8: 72 20 61 6e 79 20 70 75  [r any pu]
   0x03b0: 62 6c 69 63 61 74 69 6f  [blicatio]
   0x03b8: 6e 0a 69 6e 66 6f 72 6d  [n.inform]
   0x03c0: 61 74 69 6f 6e 20 73 6f  [ation so]
   0x03c8: 20 49 20 68 61 76 65 20  [ I have ]
   0x03d0: 6e 6f 20 69 64 65 61 20  [no idea ]
   0x03d8: 20 77 68 65 72 65 20 20  [ where  ]
   0x03e0: 69 74 20 20 6f 72 69 67  [it  orig]
   0x03e8: 69 6e 61 6c 6c 79 20 20  [inally  ]
   0x03f0: 63 61 6d 65 20 20 66 72  [came  fr]
   0x03f8: 6f 6d 2e 0a 54 68 69 73  [om..This]
   0x0400: 20 6d 61 79 20 62 65 20  [ may be ]
   0x0408: 61 20 6c 69 74 74 6c 65  [a little]
   0x0410: 20 6f 75 74 20 6f 66 20  [ out of ]
   0x0418: 73 65 61 73 6f 6e 20 62  [season b]
   0x0420: 75 74 20 66 72 6f 6d 20  [ut from ]
   0x0428: 77 68 61 74 20 49 20 67  [what I g]
   0x0430: 75 65 73 73 2c 20 79 6f  [uess, yo]
   0x0438: 75 20 63 61 6e 0a 70 6c  [u can.pl]
   0x0440: 61 6e 74 20 6b 75 7a 75  [ant kuzu]
   0x0448: 20 61 6e 79 20 74 69 6d  [ any tim]
   0x0450: 65 20 6f 66 20 74 68 65  [e of the]
   0x0458: 20 79 65 61 72 20 61 6e  [ year an]
   0x0460: 64 20 65 6e 6a 6f 79 20  [d enjoy ]
   0x0468: 69 74 20 66 6f 72 20 20  [it for  ]
   0x0470: 67 65 6e 65 72 61 74     [generat ]

Peter Schawacker, CISSP
Technical Evangelist
McAfee
Office 760 200 4258
Mobile 760 880 4258
ps () nai com

-----Original Message-----
From: Michael H. Warfield [mailto:mhw () wittsend com] 
Sent: Wednesday, June 30, 2004 4:29 PM
To: Schawacker, Peter
Cc: shoten () starpower net; focus-ids () securityfocus com;
security () brvenik com; mhw () wittsend com
Subject: Re: SSL and IPS (was RE: ssh and ids)


On Wed, Jun 30, 2004 at 01:39:38PM -0700, Peter_Schawacker () NAI com
wrote:

Rob,

I think we've taken this topic as far as we can on this list.  There 
is no question that the technology works -- we've had it in beta in 
real world networks. The most important question is, "How will the 
market value this technology?"  Only real-world implementations and 
time will tell.  Let's just let the market decide the value of IPS 
decryption, shall we?


        You're right...  Let's test it.

        I've put up the challenge.  I'll set up a secure web server
on a separate IP address and secure with a cert.  I'll provide you with
the private key, with no password, and the certificate, and a tcpdump of
all the traffic to and from that IP address.  You just provide back all
the clear text.  That should be simple.  Yes? If you can do that, given
the private key of the server, then you have proven your point.  And
THAT'S real world.  I can have it done tonight.

Thanks, Mike (ISS), Marty (Sourcefire) and Jason (Sourcefire) for your

questions and comments.  Let's have this chat again six months from 
now.
;-)

Over and out.

Peter Schawacker, CISSP
Technical Evangelist
McAfee
Office 760 200 4258
Mobile 760 880 4258
ps () nai com


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |
http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of
all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

RE: SSL and IPS (was RE: ssh and ids) Rob Shein (Jun 30)
- Re: SSL and IPS (was RE: ssh and ids) Michael H. Warfield (Jun 30)
  - RE: SSL and IPS (was RE: ssh and ids) Rob Shein (Jun 30)
- <Possible follow-ups>
- RE: SSL and IPS (was RE: ssh and ids) Peter_Schawacker (Jul 01)
  - Re: SSL and IPS (was RE: ssh and ids) Michael H. Warfield (Jul 01)
    - Re: SSL and IPS (was RE: ssh and ids) Wouter Clarie (Jul 04)
    - Re: SSL and IPS (was RE: ssh and ids) Michael H. Warfield (Jul 04)
  - Re: SSL and IPS (was RE: ssh and ids) Michael H. Warfield (Jul 01)
- RE: SSL and IPS (was RE: ssh and ids) Peter_Schawacker (Jul 04)