Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: Tim <tim-security () sentinelchicken org>
Date: Tue, 14 Mar 2006 19:58:58 -0500
Actually, encryption can do some good, even in the absence of authentication.

Even if the remote end is totally unauthenticated, you have at least guaranteed
that nobody is doing any passive sniffing of the content in transit.  You've
at least forced an attacker to mount an active MitM attack, which is both more
challenging and has a higher risk of detection....


I concede.  In the vast majority of communications situations, MitM is
only a little more difficult than passive sniffing, but in some it does
make a difference.  In particular, some broadcast mediums make MitM very
difficult without detection (radio broadcast, for instance).

In addition, if you can guarantee perfect forward secrecy without
authentication, at least the attacker must use a MitM attack right then.
Offline analysis won't reveal the encrypted content.

thanks,
tim.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: