Full Disclosure mailing list archives
Re: JaPCrypt
From: Gerardo Di Giacomo <gerardo () linux it>
Date: Wed, 06 Feb 2008 19:05:48 +0100
It's true that with MITM you could "poison" the javascript to steal the key (cookie stealing style) but I think that it's a reasonable risk due to the "non-enterprise" environment, in which the suite has been thought for. Stealing the key requires a targeted attack MITM, in a precise moment.
I think it's better to use JaPCrypt then normal HTTP... and don't forget that all pages "protected" with JaPCrypt won't be indexed by crawlers. The "main" problem by now is not massive MITM but massive sniffing, and with this suite the problem of "mass-sniffing" is avoided.
Regards, Gerardo
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- JaPCrypt Gerardo Di Giacomo (Feb 06)
- Re: JaPCrypt coderman (Feb 06)
- Re: JaPCrypt T Biehn (Feb 06)
- Re: JaPCrypt T Biehn (Feb 06)
- Re: JaPCrypt T Biehn (Feb 06)
- <Possible follow-ups>
- Re: JaPCrypt Gerardo Di Giacomo (Feb 06)
- Re: JaPCrypt coderman (Feb 06)
- Re: JaPCrypt Valdis . Kletnieks (Feb 06)
- Re: JaPCrypt Epic (Feb 06)
- Re: JaPCrypt Christoph Gruber (Feb 06)
- Re: JaPCrypt Valdis . Kletnieks (Feb 06)
- Re: JaPCrypt coderman (Feb 06)
- Re: JaPCrypt coderman (Feb 06)