Re: Innocent Code Prize for Best Post on WebAppSec

["Sverre H. Huseby" <shh () thathost com>]

This is a reply to Mark Curphey's post [1] on 2004-02-16.  In case you
didn't see it: For a few weeks I give a copy of my book [2] to authors
of webappsec-posts I like (not that I think they need it, but
anyway... :) ).

I happened to like Rogan Dawes' short and easy-to-understand overview
of how SSL traffic may be intercepted [3], posted on 2004-02-26.  Even
though e.g. SSL-enabled load balancers (server-side interception),
"cracking proxies" (client-side) and dsniff.webmitm (in the middle)
have been available for years, it seems like SSL/TLS still works like
black magic to many.  I guess Rogan's post may clear things up for
some.

Rogan should know what he's talking about, as he's the author of the
Exodus proxy [4], and a major contributor to OWASP's own WebScarab [5].

A book is in the (snail)mail.


Sverre.


1 <200402161618.LAA20125 () arkroyal cnchost com>
  http://www.securityfocus.com/archive/107/353996/2004-02-12/2004-02-18/0

2 http://innocentcode.thathost.com/

3 <403DD8B2.1A76E.1F9 () z-iris2 zipa com>
  http://www.securityfocus.com/archive/107/355415/2004-02-20/2004-02-26/0

4 http://dawes.za.net/rogan/exodus.html

5 http://www.owasp.org/development/webscarab


-- 
shh () thathost com               My web security book: Innocent Code
http://shh.thathost.com/       http://innocentcode.thathost.com/