lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 12 Oct 2007 22:12:08 -0400
From: Harry Hoffman <hhoffman@...solutions.net>
To: full-disclosure@...hmail.com
Cc: kristian.hermansen@...il.com, full-disclosure@...ts.grok.org.uk
Subject: Re: extension for Firefox to force HTTPS always?

what is wrong with his suggestion?

If you look at the situation the following things happen:

[hhoffman@...alhost ~]$ host www.cnn.com
www.cnn.com has address 64.236.16.20
www.cnn.com has address 64.236.16.52
www.cnn.com has address 64.236.24.12
www.cnn.com has address 64.236.29.120
www.cnn.com has address 64.236.91.21
www.cnn.com has address 64.236.91.22
www.cnn.com has address 64.236.91.23
www.cnn.com has address 64.236.91.24
Host www.cnn.com not found: 3(NXDOMAIN)


[hhoffman@...alhost ~]$ openssl s_client -connect www.cnn.com:443


[root@...alhost ~]# tcpdump -i wlan0 -ln tcp port 443 and net '64.236'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
22:02:32.427607 IP 192.168.1.103.35113 > 64.236.24.12.https: S 
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102380687 
0,nop,wscale 7>
22:02:35.427467 IP 192.168.1.103.35113 > 64.236.24.12.https: S 
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102383687 
0,nop,wscale 7>
22:02:41.427496 IP 192.168.1.103.35113 > 64.236.24.12.https: S 
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102389687 
0,nop,wscale 7>
22:02:53.427470 IP 192.168.1.103.35113 > 64.236.24.12.https: S 
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102401687 
0,nop,wscale 7>
22:03:17.427469 IP 192.168.1.103.35113 > 64.236.24.12.https: S 
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102425687 
0,nop,wscale 7>
22:04:05.427466 IP 192.168.1.103.35113 > 64.236.24.12.https: S 
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102473687 
0,nop,wscale 7>
22:05:41.427556 IP 192.168.1.103.47627 > 64.236.29.120.https: S 
2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp 102569687 
0,nop,wscale 7>
22:05:44.427467 IP 192.168.1.103.47627 > 64.236.29.120.https: S 
2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp 102572687 
0,nop,wscale 7>
22:05:50.427472 IP 192.168.1.103.47627 > 64.236.29.120.https: S 
2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp 102578687 
0,nop,wscale 7>
22:06:02.428441 IP 192.168.1.103.47627 > 64.236.29.120.https: S 
2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp 102590687 
0,nop,wscale 7>


If there are a ton of addresses associated with the hostname record 
you'd be sitting there for a long time, no?

It'd be nice if sites sent a unreachable message but some ppl still 
believe that blocking all ICMP is ok...

go figure.

Cheers,
Harry


full-disclosure@...hmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> MAYBE YOU HAVE A SUGGESTION OR SOMETHING CONSTRUCTIVE TO SAY AFTER
> ALL THESE YEARS VLADIS OR MAYBE YOU SHOULD SHUT THE FUCK UP!!!
> 
> YOU AREN'T SMARTER THAN WE THINK YOU ARE
> 
> On Fri, 12 Oct 2007 21:55:37 -0400 Valdis.Kletnieks@...edu wrote:
>> On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said:
>>> I just wanted to clarify that I am looking for an extension that
>> will
>>> rewrite all encountered HTTP references in Firefox to HTTPS.  I
>> would
>>> already have a firewall or some other layer7 filtering device
>> blocking
>>> unencrypted traffic.  The addon "Better Gmail" does something
>> similar
>>> to this, with the "force HTTPS" option, but not exactly...
>> What should this hypothetical extension do if it automagically
>> redirect
>> http: to https:, but the target server is something that is only
>> listening
>> on port 80 because it doesn't have https: enabled?
>>
>> https://www.cnn.com just sorta sits there for me.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Charset: UTF8
> Version: Hush 2.5
> 
> wpwEAQECAAYFAkcQJ40ACgkQ+dWaEhErNvQjfAQAhvRta2YldG0s+RPwOOYQJhmavq4c
> uo/dTsCd3EQy6yQru6oGcmWR7CdCo8EvwoTpB0EwLgVW4z7/lujiayEMECV4zejTNztw
> NSabygNoko5I8wh5trmqvoSb4RfPW79qEWLgTosECR1dsCu5FfXuKZhgQwbweWpi09gh
> zDPTvGg=
> =jxe7
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ