lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9f08cff0606131800r57085d49t8be7d8d8bb37105f@mail.gmail.com>
Date: Wed Jun 14 02:01:06 2006
From: qballus at gmail.com (Q-Ball)
Subject: SSL VPNs and security

Sure traffic can be filtered, but the point is that the layer 7 connection
is terminated at the network perimiter rather than the internatl network
which is typically much less protected.

On 6/14/06, Ray P <sixsigma98@...mail.com> wrote:
>
> Why do I keep reading that "IPSec provides full network connectivity"? SC
> Magazine just repeated this nonsense.
>
> It only does that if you have it configured that way. Even Microsoft's
> PPTP
> & L2TP "free" stuff can be limited. And you can configure an SSL VPN to do
> likewise.
>
> Ray
>
> >From: Q-Ball <qballus@...il.com>
> >To: Tim <tim-security@...tinelchicken.org>
> >CC: full-disclosure@...ts.grok.org.uk
> >Subject: Re: [Full-disclosure] SSL VPNs and security
> >Date: Tue, 13 Jun 2006 15:13:45 +1000
> >
> >SSL VPNs have their legitimate place as does IPSec. Personally, I'd
> rather
> >that travelling exec's who need to log on from a public Internet
> terminal,
> >dont have full IP connectivity into the network, but maybe that's just
> me.
> >
> >Q-Ball
> >
> >On 6/10/06, Tim <tim-security@...tinelchicken.org> wrote:
> >>
> >> > That depends on whether the solution tries to solve single-sign-on
> >> > problems as well.  If the vendor is trying to handle SSO in such an
> >> > environment, then they are probably using domain cookies.  The
> >> > problems are exactly the same as the ones Michal listed, plus some
> >> > additional ones specific to domain cookies.
> >>
> >>Right, that does make it difficult.  There's probably work arounds, but
> >>they may be browser-specific.  Wildcard cookies, cookies set to other
> >>origins, or somehow setting document.domain back to the base domain
> >>after the initial page load might help, but some would probably present
> >>the same problem.
> >>
> >>The web was never designed for complex application development.  At
> >>least, web standards aren't.  Use a real VPN.
> >>
> >>cheers,
> >>tim
> >>
> >>_______________________________________________
> >>Full-Disclosure - We believe in it.
> >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>Hosted and sponsored by Secunia - http://secunia.com/
> >>
>
>
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060614/833aa170/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ