lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <242a0a8f0603151214x39627a7fq99666a0fb3fc1090@mail.gmail.com>
Date: Thu Mar 16 09:52:19 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: HTTP AUTH BASIC monowall

tim-security at sentinelchicken.org wrote:
>> (assuming the admin doesn't notice the cert changes and all that good
>> stuff.)

> There's your problem.  If you assume this, you will always be vulnerable
> to MitM if the software you're using allows you to communicate anyway.

> If you're SSH client lets you connect to systems whose keys have
> changed, same problem.  If your VPN client allows it, same problem.

> This is why I wanted you to think about what you are trusting in the
> first place.  You are trusting your CA and the certificate chain.  If
> you can't do that, then you have no trust.

How trustworthy are the CA certificates included in the average browser?

There are a couple of dozen CA certificates shipped with my browser.
Some of the vendors associated with these CA certificates offer to
give me a certificate for my web site in 10 minutes or less for a
couple of hundred dollars.

This sounds like a really ripe opportunity for social engineering to me.

- Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ