lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Mar 15 18:41:47 2006
From: simon at snosoft.com (Simon Smith)
Subject: HTTP AUTH BASIC monowall.

gboyce wrote:
> Ok, so what's your alternative?
My alternative is to manage critical systems without using a web based
GUI. Since there aren't that many truly critical systems (in my network)
I can do that without a problem.
>
> You're already assuming that the user of the firewall is already
> misusing SSL.  They need to blindly accept unsigned SSL certificates,
> and changes to the certificates.  Just about any security restrictions
> you can apply can be done away with if the user is incompetant enough.
    You're right.
>
> Some form of challenge response?  If you can already perform a man in
> the middle attack, than challenge response is just as vulnerable. 
> Just connect to the server when the client hits you, and pass them the
> challenge you recieved.  Use the credential yourself, and pass them a
> failure.  When they try again, connect them to the server.
    You're right again.  Does everyone here think that the majority of
companies hire security aware people?
> I suppose client certificates would work, but do you honestly believe
> there are many firewall admins who would go through the pain and
> effort to setup a server that deals with client certificates properly,
> but wouldn't notice SSL server certificate changes?
    I still agree with you.

  
>
> On Wed, 15 Mar 2006, Simon Smith wrote:
>
>> Ok,
>>    As suspected... so I am correct; and it is a security threat. I can
>> compromise a network, arp poison it, MiTM, access the firewall,
>> distributed metastasis, presto... owned...
>>
>>
>> Michael Holstein wrote:
>>>> which brings up a question... what are the odds that someone could
>>>> forcefully redirect traffic to their proxy after having compromised a
>>>> network? Could this be done with arp poisoning? I haven't toyed with
>>>> that in a while so I can't say yes or no...
>>>
>>> If it's Ethernet, and you're on the same broadcast network, yes. Check
>>> out arpspoof (part of dsniff). You also need to setup a userspace
>>> router to forward the packets -- easiest way is fragrouter.
>>>
>>> FYI : this also works quite well on wireless.
>>>
>>> ~Mike.
>>
>>
>> -- 
>>
>>
>> Regards,
>>     Adriel T. Desautels
>>     Harvard Security Group
>>     http://www.harvardsecuritygroup.com
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>


-- 


Regards, 
	Adriel T. Desautels
	Harvard Security Group
	http://www.harvardsecuritygroup.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ