Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Simon Smith <simon () snosoft com>
Date: Wed, 15 Mar 2006 13:41:02 -0500
gboyce wrote:
Ok, so what's your alternative?
My alternative is to manage critical systems without using a web based GUI. Since there aren't that many truly critical systems (in my network) I can do that without a problem.
You're already assuming that the user of the firewall is already misusing SSL. They need to blindly accept unsigned SSL certificates, and changes to the certificates. Just about any security restrictions you can apply can be done away with if the user is incompetant enough.
You're right.
Some form of challenge response? If you can already perform a man in the middle attack, than challenge response is just as vulnerable. Just connect to the server when the client hits you, and pass them the challenge you recieved. Use the credential yourself, and pass them a failure. When they try again, connect them to the server.
You're right again. Does everyone here think that the majority of companies hire security aware people?
I suppose client certificates would work, but do you honestly believe there are many firewall admins who would go through the pain and effort to setup a server that deals with client certificates properly, but wouldn't notice SSL server certificate changes?
I still agree with you.
On Wed, 15 Mar 2006, Simon Smith wrote:Ok, As suspected... so I am correct; and it is a security threat. I can compromise a network, arp poison it, MiTM, access the firewall, distributed metastasis, presto... owned... Michael Holstein wrote:which brings up a question... what are the odds that someone could forcefully redirect traffic to their proxy after having compromised a network? Could this be done with arp poisoning? I haven't toyed with that in a while so I can't say yes or no...If it's Ethernet, and you're on the same broadcast network, yes. Check out arpspoof (part of dsniff). You also need to setup a userspace router to forward the packets -- easiest way is fragrouter. FYI : this also works quite well on wireless. ~Mike.-- Regards, Adriel T. Desautels Harvard Security Group http://www.harvardsecuritygroup.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Regards, Adriel T. Desautels Harvard Security Group http://www.harvardsecuritygroup.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)
- Re: HTTP AUTH BASIC monowall. Pavel Kankovsky (Mar 13)
- Re: HTTP AUTH BASIC monowall. Keith (Mar 13)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. gboyce (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Valdis . Kletnieks (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Andrew Simmons (Mar 17)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Mike Owen (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 17)
- Re: HTTP AUTH BASIC monowall. Gary E. Miller (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)