[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <242a0a8f0606090711s14567855i16284a0070f75768@mail.gmail.com>
Date: Fri Jun 9 15:12:04 2006
From: eaton.lists at gmail.com (Brian Eaton)
Subject: SSL VPNs and security
On 6/9/06, Tim <tim-security@...tinelchicken.org> wrote:
> Set up a wildcard record, *.webvpn.example.org, pointing to the device.
> The device then maps all internal domain names or IP addresses to a
> unique hostname, such as: internalhost.webvpn.example.org, or
> 192-168-0-1.webvpn.example.org, etc.
>
> Wouldn't this properly segment different internal sites, such that an
> XSS in one wouldn't impact the other? If so, pay attention all SSL VPN
> vendors: it is your free idea for the week.
That depends on whether the solution tries to solve single-sign-on
problems as well. If the vendor is trying to handle SSO in such an
environment, then they are probably using domain cookies. The
problems are exactly the same as the ones Michal listed, plus some
additional ones specific to domain cookies.
- Brian
Powered by blists - more mailing lists