| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Jan 2009 15:19:06 -0800 From: Tim <tim-security@...tinelchicken.org> To: Valdis.Kletnieks@...edu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: FD / lists.grok.org - bad SSL cert > No, I don't claim that Joe Sixpack will notice if they're ettercap'ed. However, > fine distinctions like the difference between "just throw ettercap at it" and > "this protects against passive sniffing but not active MITM" are > often important in this business. That's the thing. I don't think that distinction is relevant in modern networks. Maybe ettercap isn't the optimal tool, but you *should not differentiate between MitM and passive sniffing attacks* if there is no authentication being performed. Unless someone provides me with a counter example, I'm saying that those with access to sniff a network have the access to perform MitM attacks. That's all that's applicable, because the only thing making MitM "harder" is the right piece of software. I think our DRM friends in the content industry have come to realize that this does not make things harder. All it takes is one guy to write and release it. By implying to non-security types that there is some kind of tangible difference in the security between plain text and non-authenticated SSL is a great disservice. Yeah, to the layman it sounds like there ought to be a difference, but there isn't. tim EOL _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists