lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6ec88adc04101323055ff9f41d@mail.gmail.com>
From: KKadow at gmail.com (Kevin)
Subject: Possibly a stupid question RPC over HTTP

On Wed, 13 Oct 2004 15:33:13 -0700 (PDT), S G Masood <sgmasood@...oo.com> wrote:
> Yeah, it certainly is a security risk in several ways.
> Decoding and inspecting HTTPS traffic at the perimeter
> before it reaches the server becomes an absolute
> necessity if RPC over HTTPS is implemented. Same with
> RPC over HTTP.

There was a Microsoft employee on-site for a few days this summer, and
I noticed one day that he was reading MS email messages in Outlook
2003 (not OWA) from his laptop while connected to *our* private LAN.

Any smart enterprise blocks all POP/IMAP/MAPI protocols both inbound
and outbound, so this made me more than a bit suspicious...  When I
checked the proxy traffic from the DHCP address assigned to his
laptop, I saw normal-lookup HTTP requests followed by additional RPC
headers.  Turns out the employee he was working with helpfully gave
him the information to use the outbound proxy, and after configuring
proxy settings in the control panel, it "just worked".

Our visitor went back to Redmond before I could get approval from
management to modify the firewall configuration to explicitly block
RPC-over-HTTP :(

Kevin


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ