[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] HTTP AUTH BASIC monowall.

To: Valdis.Kletnieks@xxxxxx
Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Mar 2006 19:58:58 -0500

> Actually, encryption can do some good, even in the absence of authentication.
> 
> Even if the remote end is totally unauthenticated, you have at least 
> guaranteed
> that nobody is doing any passive sniffing of the content in transit.  You've
> at least forced an attacker to mount an active MitM attack, which is both more
> challenging and has a higher risk of detection....

I concede.  In the vast majority of communications situations, MitM is
only a little more difficult than passive sniffing, but in some it does
make a difference.  In particular, some broadcast mediums make MitM very
difficult without detection (radio broadcast, for instance).

In addition, if you can guarantee perfect forward secrecy without
authentication, at least the attacker must use a MitM attack right then.
Offline analysis won't reveal the encrypted content.

thanks,
tim.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Simon Smith
- Re: [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Matthijs van Otterdijk
- Re: [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Tim
- Re: [Full-disclosure] HTTP AUTH BASIC monowall.
  - From: Valdis . Kletnieks

Prev by Date: [Full-disclosure] WLSI - Windows Local Shellcode Injection - Paper
Next by Date: [Full-disclosure] [HV-HIGH] Microsoft Excel Named Range Arbitrary Code Execution
Previous by thread: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Next by thread: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
Index(es):
- Date
- Thread