lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Jun 14 00:49:12 2006
From: sixsigma98 at hotmail.com (Ray P)
Subject: SSL VPNs and security

Why do I keep reading that "IPSec provides full network connectivity"? SC 
Magazine just repeated this nonsense.

It only does that if you have it configured that way. Even Microsoft's PPTP 
& L2TP "free" stuff can be limited. And you can configure an SSL VPN to do 
likewise.

Ray

>From: Q-Ball <qballus@...il.com>
>To: Tim <tim-security@...tinelchicken.org>
>CC: full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] SSL VPNs and security
>Date: Tue, 13 Jun 2006 15:13:45 +1000
>
>SSL VPNs have their legitimate place as does IPSec. Personally, I'd rather
>that travelling exec's who need to log on from a public Internet terminal,
>dont have full IP connectivity into the network, but maybe that's just me.
>
>Q-Ball
>
>On 6/10/06, Tim <tim-security@...tinelchicken.org> wrote:
>>
>> > That depends on whether the solution tries to solve single-sign-on
>> > problems as well.  If the vendor is trying to handle SSO in such an
>> > environment, then they are probably using domain cookies.  The
>> > problems are exactly the same as the ones Michal listed, plus some
>> > additional ones specific to domain cookies.
>>
>>Right, that does make it difficult.  There's probably work arounds, but
>>they may be browser-specific.  Wildcard cookies, cookies set to other
>>origins, or somehow setting document.domain back to the base domain
>>after the initial page load might help, but some would probably present
>>the same problem.
>>
>>The web was never designed for complex application development.  At
>>least, web standards aren't.  Use a real VPN.
>>
>>cheers,
>>tim
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>


>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists