Vulnerability Development mailing list archives
Re: Single SignOn
From: Diane.Davidowicz () ISO NOAA GOV (Diane Davidowicz)
Date: Fri, 25 Feb 2000 09:59:31 -0600
Ben Grubin wrote:
-----Original Message----- From: Vanna P. Rella [mailto:vamprella () chickmail com] Sent: Thursday, February 24, 2000 2:44 PM To: Ben Grubin Cc: VULN-DEV () SECURITYFOCUS COM Subject: RE: Single SignOn Wow, didn't realize it's using UDP. UDP is traditionally insecure. However, if they're using crypto APIs, wouldn't that solve the problem?UDP in and of itself is not insecure,
Ben Hmmm, with all due respect to you, especially since this is getting slightly off-topic, the entire IP protocol suite is insecure as they have absolutely no security mechanisms built in (the security option field, RFC 1108, that does exist in the IP header is used almost entirely by the US's DOD for Orange Book type compliance and are not used to secure IP protocols themselves). Thus the evolution of IPsec. Even RFC 2401, the RFC for IPsec, implies IP as lacking security by design (see excerpt below). I will refrain from listing all the security issues involved with just the headers of IP/TCP/UDP/IGMP/ICMP/etc. (i.e., there's enough info out there on this), and avoid any additional on discussion about how applications don't always make correct use of the IP protocols, which can typically lead to application vulnerabilities (I believe you may be implying this when you said that UDP statement above). This is a distinction, I believe, that should be made.
From RFC2401 (RFC for IPsec):
"The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols." Diane Disclaimer: These are my own opionions and do not reflect the opinions of my employers.
Current thread:
- Re: Single SignOn Ben Grubin (Feb 24)
- <Possible follow-ups>
- Re: Single SignOn Vanna P. Rella (Feb 24)
- Re: Single SignOn Ben Grubin (Feb 24)
- Re: Single SignOn Diane Davidowicz (Feb 25)
- IIS4 / WAP vulnerability? Bjørnar B. Larsen (Feb 25)
- Re: Single SignOn Zev Lavon (Feb 25)
- Re: Single SignOn Erwin Geirnaert (Feb 28)