lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20071013180314.756A42281F@mailserver9.hushmail.com>
Date: Sat, 13 Oct 2007 14:03:14 -0400
From: <full-disclosure@...hmail.com>
To: <valdis.kletnieks@...edu>
Cc: kristian.hermansen@...il.com, full-disclosure@...ts.grok.org.uk,
	full-disclosure-bounces@...ts.grok.org.uk
Subject: Re: extension for Firefox to force HTTPS always?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*wow* you win an *award* for most *stars* used in an *email* to
demonstrate your *mental* *superiority* and the *dude* was not even
talking about pentesting he was talking about *browsing teh
interweb* at net cafes.

*you* could have asked for *clarifications* on what he was trying
to *accomplish* and instead you chose to *try* becoming a
*trendsetter* by using lots of *** in your *email* and still
managed to be *completely* offtopic *and* continue to be *useless*.
 *at least* *gobbles* wants in your pants.

http://lists.grok.org.uk/pipermail/full-disclosure/2007-
October/066616.html



On Sat, 13 Oct 2007 11:14:26 -0400 Valdis.Kletnieks@...edu wrote:
>On Sat, 13 Oct 2007 10:25:46 EDT, full-disclosure@...hmail.com
>said:
>
>> No idea you got an idea big guy?
>
>No, merely pointing out a under-specification of the problem.
>There's any
>number of ways that it *could* be set up - the question is what
>the *desired*
>behavior is.  Blindly rewriting everything to https: is *doable*,
>but results
>in some ugly corner cases.  Now, Kristian's *original* request was
>"you don't
>want to leak unencrypted data".  The reasonable response is - is
>it OK to leak
>unencrypted, *unimportant* data (such as hitting www.cnn.com to
>check the news
>while you take a short break)?  In fact, a *clever* pen tester may
>in fact
>*want* to have at least *some* innocuous port 80 traffic, just so
>they don't
>stand out because they're *only* doing port 443 traffic....
>
>(And the *really* sneaky pen tester will maintain a pseudo-random
>stream of
>hits to CNN and google and the like, and tunnel their *important*
>data out via
>SSL to some site with a pr0n-for-pay-ish name like www.llamas-r-
>hot.com,
>because you *expect* to see that sort of traffic distrbution... ;)
>
>So while "do everything over SSL" may sound like a good first cut
>(and in fact
>*is* a good start), the overall question is "what data do you want
>to conceal,
>and from whom, exactly?"
>
>> On Fri, 12 Oct 2007 22:45:12 -0400 Valdis.Kletnieks@...edu
>wrote:
>> >Same problem still - you proxy, you rewrite it to port 443 -
>and
>> >the destination
>> >doesn't *have* anything at port 443. What should your Apache
>do?
>
>And anybody who has been doing security for more than a week or so
>*knows* that
>failure to deal with corner cases like "but there's nothing
>*listening* on
>port 443" is a *major* source of bugs and places to find your 0-
>days.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcRCGEACgkQ+dWaEhErNvTnRwP/XmLeKQ5ZrkbI8ih1BUvYS67JOuf9
t7CugsT7xZA1VbIvhs5YKiGnzp7SS2upqE1IzuoAMeVk6ZpqghMvZDol5+SCANrMaJCW
cI66ybV7j5TtUTc1ESb1Hn85cHS0/A5epZ9qi9TxExyFQtKKRgSOlRy5y7QIB9xTIhS7
BMlQD0A=
=oOP6
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ