Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: Andrew Simmons <asimmons () messagelabs com>
Date: Thu, 16 Mar 2006 11:18:40 +0000
Simon Smith wrote:


Ok, so what's your alternative?


[...]


Some form of challenge response?  If you can already perform a man in
the middle attack, than challenge response is just as vulnerable. Just connect to the server when the client hits you, and pass them the 
challenge you recieved.  Use the credential yourself, and pass them a
failure.  When they try again, connect them to the server.



You're right again.  Does everyone here think that the majority of
companies hire security aware people?
We're not talking about general staff, we're talking about your firewall admin. If your firewall admin doesn't care about security you've got much bigger problems. Which appears to be the case... 


\a

--
Andrew Simmons // MessageLabs Security Team
Technical Security Consultant
MessageLabs: Be certain

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: