[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] HTTP AUTH BASIC monowall

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] HTTP AUTH BASIC monowall
From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Date: Wed, 15 Mar 2006 15:14:47 -0500

tim-security at sentinelchicken.org wrote:
>> (assuming the admin doesn't notice the cert changes and all that good
>> stuff.)

> There's your problem.  If you assume this, you will always be vulnerable
> to MitM if the software you're using allows you to communicate anyway.

> If you're SSH client lets you connect to systems whose keys have
> changed, same problem.  If your VPN client allows it, same problem.

> This is why I wanted you to think about what you are trusting in the
> first place.  You are trusting your CA and the certificate chain.  If
> you can't do that, then you have no trust.

How trustworthy are the CA certificates included in the average browser?

There are a couple of dozen CA certificates shipped with my browser.
Some of the vendors associated with these CA certificates offer to
give me a certificate for my web site in 10 minutes or less for a
couple of hundred dollars.

This sounds like a really ripe opportunity for social engineering to me.

- Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] HTTP AUTH BASIC monowall
  - From: Tim
- Re: [Full-disclosure] HTTP AUTH BASIC monowall
  - From: Valdis . Kletnieks

Prev by Date: Re: [Full-disclosure] Filtering Latest Spam Run (radio.toad.com)
Next by Date: Re: [Full-disclosure] Filtering Latest Spam Run (radio.toad.com)
Previous by thread: Re: [Full-disclosure] Filtering Latest Spam Run (radio.toad.com)
Next by thread: Re: [Full-disclosure] HTTP AUTH BASIC monowall
Index(es):
- Date
- Thread