lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4846.1231192497@turing-police.cc.vt.edu>
Date: Mon, 05 Jan 2009 16:54:57 -0500
From: Valdis.Kletnieks@...edu
To: Tim <tim-security@...tinelchicken.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: FD / lists.grok.org - bad SSL cert

On Mon, 05 Jan 2009 13:29:52 PST, Tim said:
> > > How is that better, really?  Run tcpdump or ettercap...  Either of the
> > > tools are off the shelf.
> > 
> > And if the site is using a self-signed cert, how does a 3rd party tcpdump
> > manage to get a *decrypted* datastream?  Yes, you can still do traffic analysis
> > on the "X talked to Y with packet sizes A, B, and C" level, but you can't
> > look at the data.
> 
> 
> You're missing the point of my comment:
> 
>   Plaintext communication => use tcpdump
> 
>   Encrypted without a cert => use ettercap (or something similar)

I believe I stated *up front* that it doesn't secure against an active MITM
attack.  Once ettercap presents a *different* certificate than the one you
were expecting, the victim can at least potentially notice (the same way
that OpenSSH complains if it discovers that a host key is different).

There's also issues with getting things like ettercap working if you don't
have access to the last-hop subnet (good luck sniffing all the traffic
between two routers looking for one netflow ;)

No, I don't claim that Joe Sixpack will notice if they're ettercap'ed. However,
fine distinctions like the difference between "just throw ettercap at it" and
"this protects against passive sniffing but not active MITM" are
often important in this business.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ