| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0603151213300.32040@localhost.localdomain> Date: Wed Mar 15 17:21:17 2006 From: gboyce at badbelly.com (gboyce) Subject: HTTP AUTH BASIC monowall. Ok, so what's your alternative? You're already assuming that the user of the firewall is already misusing SSL. They need to blindly accept unsigned SSL certificates, and changes to the certificates. Just about any security restrictions you can apply can be done away with if the user is incompetant enough. Some form of challenge response? If you can already perform a man in the middle attack, than challenge response is just as vulnerable. Just connect to the server when the client hits you, and pass them the challenge you recieved. Use the credential yourself, and pass them a failure. When they try again, connect them to the server. I suppose client certificates would work, but do you honestly believe there are many firewall admins who would go through the pain and effort to setup a server that deals with client certificates properly, but wouldn't notice SSL server certificate changes? On Wed, 15 Mar 2006, Simon Smith wrote: > Ok, > As suspected... so I am correct; and it is a security threat. I can > compromise a network, arp poison it, MiTM, access the firewall, > distributed metastasis, presto... owned... > > > Michael Holstein wrote: >>> which brings up a question... what are the odds that someone could >>> forcefully redirect traffic to their proxy after having compromised a >>> network? Could this be done with arp poisoning? I haven't toyed with >>> that in a while so I can't say yes or no... >> >> If it's Ethernet, and you're on the same broadcast network, yes. Check >> out arpspoof (part of dsniff). You also need to setup a userspace >> router to forward the packets -- easiest way is fragrouter. >> >> FYI : this also works quite well on wireless. >> >> ~Mike. > > > -- > > > Regards, > Adriel T. Desautels > Harvard Security Group > http://www.harvardsecuritygroup.com > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists