PaulDotCom mailing list archives
SSL VPN attacks?
From: jackadaniel at gmail.com (Jack Daniel)
Date: Sun, 31 Jan 2010 18:07:26 -0500
There's a different problem with the Cisco (and some other) "clientless" (there's a BS marketing term) VPNs. There's a lame Cert vuln report at: http://www.kb.cert.org/vuls/id/261869 with lots of misinformation (most VPN products are not vulnerable to this). Two posts over at Securosis clarify and explain this issue: http://securosis.com/blog/your-clientless-ssl-vpn-sucks/ and http://securosis.com/blog/clientless-ssl-vpn-redux/ Basically, the "web browser as VPN client" systems where the "VPN server" rewrites the remote services and serves them to the browser/client via a web server break domain security models if used improperly. I *assume* (with all attendant dangers) that these same pure web-browser based systems are as vulnerable to sslstrip as conventional websites, but I do not know for sure. What is driving the change from IPSec? Jack -- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com On Sun, Jan 31, 2010 at 2:49 PM, Michael Douglas <mick at pauldotcom.com> wrote:
Do any of the ssl strip type attacks work against SSL VPNs? Specifically the Cisco variant? I have a side client who's all but ready to ditch IPSec and that's got me a bit concerned. ? I've tried noodling around on google/bing to see what I can find, and my search-fu is weak today. Any tips are welcomed. Thanks & have a nice day! - Mick _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- SSL VPN attacks? Michael Douglas (Jan 31)
- SSL VPN attacks? Jack Daniel (Jan 31)
- SSL VPN attacks? Butturini, Russell (Feb 01)