lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 7 Jan 2009 10:47:57 -0600
From: "Michael Krymson" <krymson@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: FD / lists.grok.org - bad SSL cert

Two exercises.

1. Put these three items in order of value to you.
- website with no SSL at all but accepts logins
- website with self-signed SSL
- website with omg-the-world-trusts-it-because-it-cost-money SSL

I think it becomes apparent that there is some value to the self-signed SSL,
as Valdis mentioned. Sure, it doesn't protect against a mitm attack, but it
does protect against raw sniffing, just like he originally said. In fact,
value each of those on a scale of 100 (secured!) to 1 (not secured!). I
imagine you'll find self-signed SSLs are closer to one than the other...


2. Let's say you run this mailing list and don't profit off it. Are you
willing to pay for the SSL cert? Have you done a risk analysis? What exactly
are you protecting by fending off some nasty MITM attack that wants to
sniggle your login credentials for the full-disclosure mailing list, an
unmoderated mailing list where I could pose as you and spoof email if I
wanted? Are your mailing list settings really that important?

My guess is there are three concerns:
a. You use the same password on your mailing list account and other places.
Shame on you if so...that's your problem.
b. You are concerned someone might connect your IP/browser to the account
dirtysecuritywhore@...nttohide.com. In which case, you should have been
taking other measures anyway.
c. You don't want ureleet unsubscribing you every day (face it, we ALL want
to do this to netdev). Fine, this is valid, but really, who the hell will
MITM you just so they can mess with you? Your ISP? Your flatmates on the
same network as you?

Basically speaking, the risks of managing your mailing list account via a
self-signed SSL should be slim to none, and anyone who wants to argue the
differences between self-signed certs and trusted ones should be smart
enough to reduce their risk to nearly none despite the evul self-signed cert
on the Internet.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ