[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44185FBE.1030702@snosoft.com>
Date: Wed Mar 15 18:41:47 2006
From: simon at snosoft.com (Simon Smith)
Subject: HTTP AUTH BASIC monowall.
gboyce wrote:
> Ok, so what's your alternative?
My alternative is to manage critical systems without using a web based
GUI. Since there aren't that many truly critical systems (in my network)
I can do that without a problem.
>
> You're already assuming that the user of the firewall is already
> misusing SSL. They need to blindly accept unsigned SSL certificates,
> and changes to the certificates. Just about any security restrictions
> you can apply can be done away with if the user is incompetant enough.
You're right.
>
> Some form of challenge response? If you can already perform a man in
> the middle attack, than challenge response is just as vulnerable.
> Just connect to the server when the client hits you, and pass them the
> challenge you recieved. Use the credential yourself, and pass them a
> failure. When they try again, connect them to the server.
You're right again. Does everyone here think that the majority of
companies hire security aware people?
> I suppose client certificates would work, but do you honestly believe
> there are many firewall admins who would go through the pain and
> effort to setup a server that deals with client certificates properly,
> but wouldn't notice SSL server certificate changes?
I still agree with you.
>
> On Wed, 15 Mar 2006, Simon Smith wrote:
>
>> Ok,
>> As suspected... so I am correct; and it is a security threat. I can
>> compromise a network, arp poison it, MiTM, access the firewall,
>> distributed metastasis, presto... owned...
>>
>>
>> Michael Holstein wrote:
>>>> which brings up a question... what are the odds that someone could
>>>> forcefully redirect traffic to their proxy after having compromised a
>>>> network? Could this be done with arp poisoning? I haven't toyed with
>>>> that in a while so I can't say yes or no...
>>>
>>> If it's Ethernet, and you're on the same broadcast network, yes. Check
>>> out arpspoof (part of dsniff). You also need to setup a userspace
>>> router to forward the packets -- easiest way is fragrouter.
>>>
>>> FYI : this also works quite well on wireless.
>>>
>>> ~Mike.
>>
>>
>> --
>>
>>
>> Regards,
>> Adriel T. Desautels
>> Harvard Security Group
>> http://www.harvardsecuritygroup.com
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
--
Regards,
Adriel T. Desautels
Harvard Security Group
http://www.harvardsecuritygroup.com
Powered by blists - more mailing lists