lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 27 Oct 2005 10:32:53 +1300
From: Jason Haar <Jason.Haar@...mble.co.nz>
To: Bob Beck <beck@...h.cns.ualberta.ca>
Cc: Tony Finch <dot@...at.at>, bugtraq@...urityfocus.com
Subject: Re: Mozilla Thunderbird SMTP down-negotiation weakness


Bob Beck wrote:

>	Sit you your faviorite wireless network and MITM your faviorite ssl
>web sites off it. If your user population is very intelligent, maybe
>only 9 out of 10 will click the "Windows is annoying me with a box and
>an OK button - I will click OK to keep going" popup and ignore the
>certificate mismatch utterly. Otherwise the only hard part will be
>finding a user that doesn't ignore the mismatch - it's so easy to
>get passwords this way it isn't even sporting. It's like whacking baby
>seals with a stick.
>
>	SSL/TLS applications are just the latest most fertile ground where
>software designers have put in a crutches for lazy stupid people thereby
>rendering something kinda ok into something mostly useless. 
>  
>
Well said. I don't see anyone complaining that MSIE allows you to
click-through the warning that the presented cert doesn't match the
hostname and carry on and get compromised. Same with signing executables.

Users don't know what it means - and they "just want it to work!".
Frankly, there is only so much technology can do. At some stage people
have to start taking responsibility for their choices (shall we measure
the IQ of people who open GIF-file based password protected zip files
and run the contents!?!?!? Sheesh)

Actually I'm glad you can click-through and ignore cert mismatches.
Without it I couldn't read many self-signed Web sites where they use
certs just to protect their data in transit. It would smack of  monopoly
practices if only Verisign-signed sites/whatever worked within browsers.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ