lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Jan 2013 19:33:55 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Luigi Rosa <lists@...girosa.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: How to prevent HTTPS MitM

On Thu, Jan 17, 2013 at 3:56 PM, Luigi Rosa <lists@...girosa.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If this message is offtopic, please excuse me.
>
> I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS
> for content inspection and many governments do this for their reasons.
>
> I was thinking: could it be possible to create a fake HTTPS stream to DoS the
> MitM attempt?
Stop conferring trust.

Pin the certifcate or public key. Google used it to vet out the
Diginotar compromise in Chrome (all other browsers suffered). Its
similar to SSH's StrictHostKeyChecking option. Its also on track for
internet standards:
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04.

Use Secure Remote Password (SRP). SRP is basically Diffei-Hellman
using the password as an exponent (lots of handwaiving).

Don't trust browsers. That includes Mozilla (Trustwave and the closed
door, back room deals) or Opera (Nokia and its 'Acceleration
Interception').

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ