PaulDotCom mailing list archives
Re: SSL vs IPSec VPNs
From: Michael Douglas <mick () pauldotcom com>
Date: Thu, 21 Oct 2010 23:31:08 -0400
Mark, that's straight up evil... I love it. Just let me know what sorts of credit you want for that little trick. It's every bit as good as me sending them status reports with a few extra payloads attached. Customer: this file's encrypted Me: Of course, you don't want a mail admin to be able to see this kind of sensitive data... here's how you open the file Customer: Oh you need macros? Why? Me: Formatting. And if you see any popups just click yes. Sad thing is it *works*... I *love* what I do for a living! What a fun and amazing field. - Mick On Wed, Oct 20, 2010 at 9:58 AM, Baggett, Mark <mark.baggett () morris com> wrote:
This probably wont affect your purchasing decision, but I think it is interesting that most network admins don't really think twice about allowing their employees to use SSL VPN to connect to a third party network. They don't think about the fact that some other admin (the one who owns the SSL VPN Concentrator) controls the split tunneling policy on the clients and decides whether or not your internal workstations can be used to pivot mercilessly through your environment. Dear Pen test customer, In order to provide you with instant, up to date access to the results of our ongoing penetration we have established a project status portal. Obviously this data is sensitive and most be protected. Please use the following username and password to login to our SSL VPN to access the status page. Moooohahhahaa -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Michael Douglas Sent: Tuesday, October 19, 2010 9:41 AM To: pauldotcom () pdc-mail pauldotcom com Subject: [Pauldotcom] SSL vs IPSec VPNs Hey all, I'm trying to determine what protocols should be permitted on a new VPN concentrator. I'd like to stick with IPSec, it's tried and true, and to quote Garth: "We fear change". However, it seems that all the vendors are going down the SSL route. Now I know SSL is 'safe', but it seems like it's more open to attacks like SSLStrip (thanks again Moxie for making us aware of the problems!) I get that SSL is easier for administrators and end users alike, but is that convenience at too high a cost? So what are your thoughts? Am I being too paranoid? If there are articles or places where I should RTFM, that's cool... I just need to know what FM to read!! Please send the links/info ;-) Thanks for your input, and have a nice day! - Mick _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- SSL vs IPSec VPNs Michael Douglas (Oct 19)
- Re: SSL vs IPSec VPNs Carlos Perez (Oct 19)
- Re: SSL vs IPSec VPNs Butturini, Russell (Oct 20)
- Re: SSL vs IPSec VPNs Carlos Perez (Oct 20)
- Re: SSL vs IPSec VPNs Michael Miller (Oct 21)
- Re: SSL vs IPSec VPNs Butturini, Russell (Oct 20)
- Re: SSL vs IPSec VPNs Carlos Perez (Oct 19)
- Re: SSL vs IPSec VPNs Jack Daniel (Oct 20)
- Re: SSL vs IPSec VPNs Chris Clymer (Oct 25)
- Re: SSL vs IPSec VPNs Baggett, Mark (Oct 20)
- Re: SSL vs IPSec VPNs Carlos Perez (Oct 20)
- Re: SSL vs IPSec VPNs Michael Douglas (Oct 21)
- Re: SSL vs IPSec VPNs Baggett, Mark (Oct 22)
- Re: SSL vs IPSec VPNs Gregory Baker (Oct 26)
- <Possible follow-ups>
- Re: SSL vs IPSec VPNs Kerry (Oct 20)