lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <44198795.5030402@uniontown.com>
Date: Thu Mar 16 15:41:27 2006
From: securitylistgrok at uniontown.com (Mark Coleman)
Subject: HTTP AUTH BASIC monowall.

At the risk of being flamed, I'll chime in with this since I don't think 
it's been mentioned as an alternative:

How about SecurID one-time passwords?  Ride the HTTP Auth on SSL which 
hides it all, and a Malcolm in the Middle attack just gets username/PIN 
and a one-time password (MitM gives ability to DoS lockout your account).

-Mark Coleman


gboyce wrote:
> Ok, so what's your alternative?
>
> You're already assuming that the user of the firewall is already 
> misusing SSL.  They need to blindly accept unsigned SSL certificates, 
> and changes to the certificates.  Just about any security restrictions 
> you can apply can be done away with if the user is incompetant enough.
>
> Some form of challenge response?  If you can already perform a man in 
> the middle attack, than challenge response is just as vulnerable.  
> Just connect to the server when the client hits you, and pass them the 
> challenge you recieved.  Use the credential yourself, and pass them a 
> failure.  When they try again, connect them to the server.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ