lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 25 Jun 2004 16:16:03 -0700
From: "Zone Labs Product Security" <Product-Security@...elabs.com>
To: <bugtraq@...urityfocus.com>
Cc: "Zone Labs Security Team" <security@...elabs.com>
Subject: Zone Labs response to "ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability"


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ZoneAlarm Pro, Security Suite and Integrity products which employ
Mobile Code Protection/ID Lock features do not inspect encrypted
traffic. If mobile code is downloaded via a Secure Sockets Layer
(SSL) session, it will not be inspected by these products. This is
by design and mandated by the SSL Protocol specification.

The intended purpose of SSL is to "provide privacy and reliability
between two communicating applications [1]." Computer users have
the expectation their SSL encrypted session will be encrypted
end-to-end between the server and client application (in this
case, the Web Browser).

As stated in the SSL Protocol Version 3.0:

   For SSL to be able to provide a secure connection, both the
   client and server systems, keys, and applications must be
   secure [1].

As such, Zone Labs products do not attempt to intercept, decrypt,
proxy, or otherwise interfere with the SSL transaction. For our
product -- or any other application -- to behave otherwise would
violate the intent and design of the SSL specification and could
potentially expose and/or risk the confidentiality of the data
transmitted in the SSL transaction.

A clarification of this feature's design will be made in the
product help files and program interface.

Zone Labs encourages anyone with concerns about the security of
our products or services to contact us at security@...elabs.com.


[1] http://wp.netscape.com/eng/ssl3/draft302.txt 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQNyyJVDxXw2Is3mLEQLFTwCfXTMHeASzAncL8efuIBJaXswfIjoAn1iJ
HDrSHxs4H9Bm0CGSVf+O3QPq
=th5g
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ