RE: IIS log - GETs vs. POSTs

[RSnake <rsnake () shocking com>]

        That is incorrect.  Here is the transactional model:

Client hello ->
<- Server hello
<- Server certificate
<- serverHelloDone
ClientKeyExchange E(Kserv, PK) ->
ChangeCipherSpec ->
FIN Handshake (MAC) ->
<- ChangeCipherSpec
<- FIN Hanshake (MAC)
Application_data HTTP request -> (GET /?data HTTP/1.0\n\n)
<- Application_data HTTP response (HTTP/1.1 200 OK\n...)
Alert : close_notify ->
<- Alert : close_notify

        Please ref RFC2817 and RFC2818.  It is possible to break SSL/TLS,
however usually it's computationally/fiscally unfeasible, as it can be
difficult to get access to a machine that routes traffic to the victim server
in question, as the level of security usually (read: we hope) goes up as you
get closer to a secured machine (Data center).  Also the dollars spent to break
a single session often exceed the actual dollar value of the data recovered.

        In addition there can be potential leaking of information as you get
closer to the server in question, and can use chain of command type
cryptanalisis to extrapolate more information from a host.  IE: people who log
into a secure site for some fatal disease are more likely to be afflicted by
it, regardless of the fact that you cannot see actual plaintext.  This is
really more of a concern for those governed by HIPPA and internal government
auditing, than joe-shmoe's e-commerce site.  Generally speaking this should not
be a concern.

        I just want to reiterate, man in the middle attacks are one of the
smallest threats out there at the time of this email, because they have nearly
stopped in proliferation, compared to going directly after the server in
question, which usually yields better results anyway.  But even still, I would
never build an enterprise solution without using it.  It's all about risk
mitigation, right?

On Mon, 1 Sep 2003, Calderon, Juan C (EM, DDEMESIS) wrote:

| Date: Mon, 1 Sep 2003 10:23:11 -0400
| From: "Calderon, Juan C (EM, DDEMESIS)" <Juan.Calderon () ge com>
| To: RSnake <rsnake () shocking com>, Lucas Holt <luke () foolishgames com>
| Cc: Jeremy Poteet <lists () appdefense com>,
|      WebAppSec <webappsec () securityfocus com>
| Subject: RE: IIS log - GETs vs. POSTs
|
| As far as I know.
|
| Other implication of sending information trough HTTP GET is that SSL do
| not encrypt (protect) it, only the bytes flow (POST data) as encrypted.
| so sending information though URL using SSL is useless.
|
| Correct me if i'm wrong.
|
| cheers :)
|

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.