Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

RE: SSL
From: Bruce Platt <Bruce () ei3 com>
Date: Fri, 19 Oct 2001 10:12:31 -0400
Paul D. Robertson wrote:



I haven't played with nimda server->client since the day it 
hit, so maybe
my recollections are fuzzy, but it was my impression that the 
window open
in hottips.htm would create another GET request for readme.eml-  If it
wasn't readme.eml, it was readme.exe.  In either case, that 
GET request
would expose its URL to an HTTPS proxy.  The quick (HTTP not
HTTPS) window.open test I just did locally via my home proxy 
confirms this
behaviour, so please let me know if I'm missing something.



The window.open delivers the infected mail message which if one's Outlook is
vulnerable ...



That's always been one of my arguments against packet 
filtering firewalls
for sole protection for organizations who are concerned about active
content issues.  There's no surprise here for anyone who's 
gamed this out
before.  A proxy however is a different beast- since the packets are
reassembled and parsed as such- the anti-javascript patches 
to http-gw are
an example of how to do this (though the code is very, very 
ugly), it just
needs an MITM attack to get the content in the clear (which 
was one of my
goals in life at one point that Fred so fondly remembers.)


Yup,  one does need the proxy to be a MITM to inspect the content, and the
pros and con's of that are too lengthy here.


Server->server that's true, server->client the pages will 
serve just as
well over https as they do over HTTP, but that javascript-nuking http
proxy won't be effective in the least if you connect to the server via
HTTPS without an MITM attack.  


I want to make sure that people understand how vulnerable they are over
HTTPS.



The point however is that at least thus far, people haven't 
been willing
to even ask for "every defense" when it comes to encrypted 
traffic, and
the balance between "privacy" for users and "security" for networks is
increasingly going to become an issue.  


Violent agreement.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
  • RE: SSL, (continued)
      • RE: SSL Paul D. Robertson (Oct 20)
    • RE: SSL Chad Schieken (Oct 20)
    • RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
    • RE: SSL Bruce Platt (Oct 20)
      • RE: SSL Paul D. Robertson (Oct 20)
    • RE: SSL Bruce Platt (Oct 20)
      • RE: SSL Paul D. Robertson (Oct 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]