| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH8yC8k4NmwEAnhV1sDvb_MsBF6XaCK1T3zN7V4oiuD7umT=Ag@mail.gmail.com> Date: Thu, 17 Jan 2013 19:33:55 -0500 From: Jeffrey Walton <noloader@...il.com> To: Luigi Rosa <lists@...girosa.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: How to prevent HTTPS MitM On Thu, Jan 17, 2013 at 3:56 PM, Luigi Rosa <lists@...girosa.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If this message is offtopic, please excuse me. > > I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS > for content inspection and many governments do this for their reasons. > > I was thinking: could it be possible to create a fake HTTPS stream to DoS the > MitM attempt? Stop conferring trust. Pin the certifcate or public key. Google used it to vet out the Diginotar compromise in Chrome (all other browsers suffered). Its similar to SSH's StrictHostKeyChecking option. Its also on track for internet standards: http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04. Use Secure Remote Password (SRP). SRP is basically Diffei-Hellman using the password as an exponent (lots of handwaiving). Don't trust browsers. That includes Mozilla (Trustwave and the closed door, back room deals) or Opera (Nokia and its 'Acceleration Interception'). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists