[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

To: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 13 Mar 2006 18:04:10 -0500

> You said this is a firewall box. Most "appliances" I've seen use 
> self-signed SSL certs which don't validate anyway -- so you're ALREADY 
> used to clicking "ok" on the warning. Therein lies the danger I suppose.

Exactly.  This is probably why Simon is confused.  However, if he
verifies the fingerprint/hash of the certificate once (by walking over
to his firewall and reading it off the terminal), then he permanently
trusts it in his browser, then he'll be pretty safe from then on.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Simon Smith
- Re: [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Michael Holstein

Prev by Date: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Next by Date: RE: [Full-disclosure] HTTP AUTH BASIC monowall.
Previous by thread: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Next by thread: [Full-disclosure] Re: HTTP AUTH BASIC monowall.
Index(es):
- Date
- Thread