lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed Mar 15 00:59:08 2006 From: tim-security at sentinelchicken.org (Tim) Subject: HTTP AUTH BASIC monowall. > Actually, encryption can do some good, even in the absence of authentication. > > Even if the remote end is totally unauthenticated, you have at least guaranteed > that nobody is doing any passive sniffing of the content in transit. You've > at least forced an attacker to mount an active MitM attack, which is both more > challenging and has a higher risk of detection.... I concede. In the vast majority of communications situations, MitM is only a little more difficult than passive sniffing, but in some it does make a difference. In particular, some broadcast mediums make MitM very difficult without detection (radio broadcast, for instance). In addition, if you can guarantee perfect forward secrecy without authentication, at least the attacker must use a MitM attack right then. Offline analysis won't reveal the encrypted content. thanks, tim.
Powered by blists - more mailing lists