Simon Smith wrote:
Ok, so what's your alternative?
[...]
Some form of challenge response? If you can already perform a man inthe middle attack, than challenge response is just as vulnerable. Just connect to the server when the client hits you, and pass them thechallenge you recieved. Use the credential yourself, and pass them a failure. When they try again, connect them to the server.
You're right again. Does everyone here think that the majority of companies hire security aware people?
We're not talking about general staff, we're talking about your firewall admin. If your firewall admin doesn't care about security you've got much bigger problems. Which appears to be the case...
\a -- Andrew Simmons // MessageLabs Security Team Technical Security Consultant MessageLabs: Be certain ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System.For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/