Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Tim <tim-security () sentinelchicken org>
Date: Tue, 14 Mar 2006 19:58:58 -0500
Actually, encryption can do some good, even in the absence of authentication. Even if the remote end is totally unauthenticated, you have at least guaranteed that nobody is doing any passive sniffing of the content in transit. You've at least forced an attacker to mount an active MitM attack, which is both more challenging and has a higher risk of detection....
I concede. In the vast majority of communications situations, MitM is only a little more difficult than passive sniffing, but in some it does make a difference. In particular, some broadcast mediums make MitM very difficult without detection (radio broadcast, for instance). In addition, if you can guarantee perfect forward secrecy without authentication, at least the attacker must use a MitM attack right then. Offline analysis won't reveal the encrypted content. thanks, tim. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 15)
- Re: HTTP AUTH BASIC monowall. Dave Korn (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. greybrimstone (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. Dave Korn (Mar 16)
- Re: Re: Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Steffen Kluge (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 14)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 14)
- Re: HTTP AUTH BASIC monowall. Jim Popovitch (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 17)