Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: Simon Smith <simon () snosoft com>
Date: Wed, 15 Mar 2006 14:12:58 -0500
Actually,
    You are trusting the user to do the right thing. Historically, users
don't always do the right thing. Hence, why I want a technology to
protect data and not a human being.

Tim wrote:

(assuming the admin doesn't notice the cert changes and all that good
stuff.) 
    



There's your problem.  If you assume this, you will always be vulnerable
to MitM if the software you're using allows you to communicate anyway.

If you're SSH client lets you connect to systems whose keys have
changed, same problem.  If your VPN client allows it, same problem.

This is why I wanted you to think about what you are trusting in the
first place.  You are trusting your CA and the certificate chain.  If
you can't do that, then you have no trust.

tim
  



-- 


Regards, 
        Adriel T. Desautels
        Harvard Security Group
        http://www.harvardsecuritygroup.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: