lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070313192914.GW25871@bofh.cns.ualberta.ca>
Date: Tue, 13 Mar 2007 13:29:14 -0600
From: Bob Beck <beck@...h.cns.ualberta.ca>
To: Jan Wrobel <wrobel@...es.ath.cx>
Cc: Jex <hewhohuntscats@...il.com>, focus-ids@...urityfocus.com,
	bugtraq@...urityfocus.com
Subject: Re: Firekeeper - IDS for Firefox available

> 
> Isn't it the case with every software created to add some protection
> to you computer? Firewalls, antiviruses, IDSes etc. are all adding
> code to your operating system that may, in the future, be found
> vulnerable to some attack. It is just the question whether protection
> they provide compensates additional threat they may introduce.
> 

	Yes, protection can mean added code, but consider the kind of code
and where it is running. Typically I run an IDS such as snort on a tap
interface with no access to send anything out.  in particular, it's
not looking at endpoint traffic after it's decrypted. Why? IDS's are
big complicated things that to lots of string a byte comparisons
against data provided by an attacker, the kind of code that is easy
for the author to make mistakes in that lead to compromisable
situations. 

	So if snort is compromised, all the attacker typically gets without
more work is the ablility to sniff, not the ablility to look at
encrypted traffic in the clear, and ideally not the ability to send
traffic out.  

	Other programs (i.e. ssh) deal with complexity like this by
attempting to isolate the privileges that the code doing most of the
string bashing is running as - i.e. a privsep model, so if you break a
piece of it (at least in most of the code) you *Don't* see encrypted
traffic or passwords 

	If this critter is compromised, he likely gets the entire
endpoint machine, or if not, he most likely for sure gets
the ability to read decrypted https streams. - Fix the browser bugs
rather than having another plugin to look for them.

	-Bob

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ