Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: demoing sslv2 vulns

From: Robin Wood <robin () digininja org>
Date: Sun, 4 Jul 2010 12:52:36 +0100
On 4 July 2010 12:47, rapper crazy <rappercrazzy () gmail com> wrote:

Hello Robin,

The exploitation of these vulnerabilities require industrial / govt level
infra support. The only way to attack these vulnerabilities are with
cryptanalytic attack.
Breaking these might not be possible for lone attacker but considering
corporate espionage, dumping the network (ssl-encrypted) traffic, these
dumps can later be brute force to recover the session key and then the whole
communication.

Thanks
JT



So basically I tell them that for most situations they currently
aren't really a threat but as cryptanalysis only gets better, never
worse it is only a matter of time before they become a problem so it
is better to get protected now before it is a problem rather than rush
to upgrade once it does become a problem.

Sound about right?

Robin

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: