lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Feb 2004 14:01:18 -0800
From: "David Schwartz" <davids@...master.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer



	This is a total non-issue. Almost every attack vector that could place a
malicious DLL in the same directory as IE could replace IE itself or snap
screen captures. SSL is not intended to protect against attacks on either
endpoint.

	This is like complaining that your safe doesn't keep people from breaking
your windows. Of course Microsoft has no intended fix, nothing is broken.

	Ironically, the only real fix against someone replacing your browser with a
browser that steals data that is sent encrypted is to integrate the
retrieval/rendering logic into the operating system such that it cannot be
replaced. Something for which nearly every expert in the field has argued
that there is no rational technical justification.

	In other words, if you can choose Netscape as your default browser, then an
attacker can choose a browser that tees off your decrypted data. The only
solution is for you to be unable to change your browser.

	DS




Powered by blists - more mailing lists