Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: Tim <tim-security () sentinelchicken org>
Date: Wed, 15 Mar 2006 13:50:32 -0500
(assuming the admin doesn't notice the cert changes and all that good
stuff.) 



There's your problem.  If you assume this, you will always be vulnerable
to MitM if the software you're using allows you to communicate anyway.

If you're SSH client lets you connect to systems whose keys have
changed, same problem.  If your VPN client allows it, same problem.

This is why I wanted you to think about what you are trusting in the
first place.  You are trusting your CA and the certificate chain.  If
you can't do that, then you have no trust.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: