lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 13 Oct 2007 11:14:26 -0400
From: Valdis.Kletnieks@...edu
To: full-disclosure@...hmail.com
Cc: kristian.hermansen@...il.com, full-disclosure@...ts.grok.org.uk,
	full-disclosure-bounces@...ts.grok.org.uk
Subject: Re: extension for Firefox to force HTTPS always?

On Sat, 13 Oct 2007 10:25:46 EDT, full-disclosure@...hmail.com said:

> No idea you got an idea big guy?

No, merely pointing out a under-specification of the problem.  There's any
number of ways that it *could* be set up - the question is what the *desired*
behavior is.  Blindly rewriting everything to https: is *doable*, but results
in some ugly corner cases.  Now, Kristian's *original* request was "you don't
want to leak unencrypted data".  The reasonable response is - is it OK to leak
unencrypted, *unimportant* data (such as hitting www.cnn.com to check the news
while you take a short break)?  In fact, a *clever* pen tester may in fact
*want* to have at least *some* innocuous port 80 traffic, just so they don't
stand out because they're *only* doing port 443 traffic....

(And the *really* sneaky pen tester will maintain a pseudo-random stream of
hits to CNN and google and the like, and tunnel their *important* data out via
SSL to some site with a pr0n-for-pay-ish name like www.llamas-r-hot.com,
because you *expect* to see that sort of traffic distrbution... ;)

So while "do everything over SSL" may sound like a good first cut (and in fact
*is* a good start), the overall question is "what data do you want to conceal,
and from whom, exactly?"

> On Fri, 12 Oct 2007 22:45:12 -0400 Valdis.Kletnieks@...edu wrote:
> >Same problem still - you proxy, you rewrite it to port 443 - and
> >the destination
> >doesn't *have* anything at port 443. What should your Apache do?

And anybody who has been doing security for more than a week or so *knows* that
failure to deal with corner cases like "but there's nothing *listening* on
port 443" is a *major* source of bugs and places to find your 0-days.



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ