Full Disclosure mailing list archives
RE: Secure HTTP
From: "TJ" <trejrco () gmail com>
Date: Fri, 24 Mar 2006 11:51:08 -0500
Wait, you mean security (solely) through obscurity doesn't work?? :) /TJ -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Kenneth Ng Sent: Friday, March 24, 2006 10:43 AM To: Valdis.Kletnieks () vt edu Cc: Full Disclosure Subject: Re: [Full-disclosure] Secure HTTP On 3/24/06, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
Do the frikking SSL correctly on port 443 like the RFCs intend rather than cooking up some half-assed proxy scheme to work around it. <insert standard "if I had a nickle for every time somebody proposed a partial solution for the wrong part of the problem instead of doing it in the well-understood correct way in the first place, I'd be long since retired" speech here....>
You would be more than rich. You won't believe the number of "security improvements" I've had to knock down. One application had all the ports reassigned to all non standard ports. When I asked why such a brain dead thing was done, they said it was for security, and that "it would be too much work to find these ports". Then I showed them nmap with the port identification option. Their jaw dropped to the floor. They had *NO* security. Anonymous ftp world writable, http with no id or password allowing web page updating, telnet with no id or password. Needless to say, a redesign was required. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Secure HTTP Q Beukes (Mar 23)
- Re: Secure HTTP Cedric Blancher (Mar 23)
- Re: Secure HTTP Brian Eaton (Mar 23)
- Re: Secure HTTP Julien GROSJEAN - Proxiad (Mar 23)
- Re: Secure HTTP Brian Eaton (Mar 23)
- Re: Secure HTTP Clark Mills (Mar 23)
- Re: Secure HTTP Julien GROSJEAN - Proxiad (Mar 23)
- Message not available
- Re: Secure HTTP Q Beukes (Mar 24)
- Re: Secure HTTP Valdis . Kletnieks (Mar 24)
- Re: Secure HTTP Kenneth Ng (Mar 24)
- RE: Secure HTTP TJ (Mar 24)
- Re: Secure HTTP Julien GROSJEAN - Proxiad (Mar 27)
- Re: Secure HTTP Q Beukes (Mar 24)
- Re: Secure HTTP M Bealby (Mar 24)
- <Possible follow-ups>
- FW: Secure HTTP Edward Pearson (Mar 23)
- Re: FW: Secure HTTP n3td3v (Mar 23)