| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 13 Oct 2007 14:03:14 -0400 From: <full-disclosure@...hmail.com> To: <valdis.kletnieks@...edu> Cc: kristian.hermansen@...il.com, full-disclosure@...ts.grok.org.uk, full-disclosure-bounces@...ts.grok.org.uk Subject: Re: extension for Firefox to force HTTPS always? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *wow* you win an *award* for most *stars* used in an *email* to demonstrate your *mental* *superiority* and the *dude* was not even talking about pentesting he was talking about *browsing teh interweb* at net cafes. *you* could have asked for *clarifications* on what he was trying to *accomplish* and instead you chose to *try* becoming a *trendsetter* by using lots of *** in your *email* and still managed to be *completely* offtopic *and* continue to be *useless*. *at least* *gobbles* wants in your pants. http://lists.grok.org.uk/pipermail/full-disclosure/2007- October/066616.html On Sat, 13 Oct 2007 11:14:26 -0400 Valdis.Kletnieks@...edu wrote: >On Sat, 13 Oct 2007 10:25:46 EDT, full-disclosure@...hmail.com >said: > >> No idea you got an idea big guy? > >No, merely pointing out a under-specification of the problem. >There's any >number of ways that it *could* be set up - the question is what >the *desired* >behavior is. Blindly rewriting everything to https: is *doable*, >but results >in some ugly corner cases. Now, Kristian's *original* request was >"you don't >want to leak unencrypted data". The reasonable response is - is >it OK to leak >unencrypted, *unimportant* data (such as hitting www.cnn.com to >check the news >while you take a short break)? In fact, a *clever* pen tester may >in fact >*want* to have at least *some* innocuous port 80 traffic, just so >they don't >stand out because they're *only* doing port 443 traffic.... > >(And the *really* sneaky pen tester will maintain a pseudo-random >stream of >hits to CNN and google and the like, and tunnel their *important* >data out via >SSL to some site with a pr0n-for-pay-ish name like www.llamas-r- >hot.com, >because you *expect* to see that sort of traffic distrbution... ;) > >So while "do everything over SSL" may sound like a good first cut >(and in fact >*is* a good start), the overall question is "what data do you want >to conceal, >and from whom, exactly?" > >> On Fri, 12 Oct 2007 22:45:12 -0400 Valdis.Kletnieks@...edu >wrote: >> >Same problem still - you proxy, you rewrite it to port 443 - >and >> >the destination >> >doesn't *have* anything at port 443. What should your Apache >do? > >And anybody who has been doing security for more than a week or so >*knows* that >failure to deal with corner cases like "but there's nothing >*listening* on >port 443" is a *major* source of bugs and places to find your 0- >days. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcRCGEACgkQ+dWaEhErNvTnRwP/XmLeKQ5ZrkbI8ih1BUvYS67JOuf9 t7CugsT7xZA1VbIvhs5YKiGnzp7SS2upqE1IzuoAMeVk6ZpqghMvZDol5+SCANrMaJCW cI66ybV7j5TtUTc1ESb1Hn85cHS0/A5epZ9qi9TxExyFQtKKRgSOlRy5y7QIB9xTIhS7 BMlQD0A= =oOP6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists