Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: JaPCrypt

Re: JaPCrypt

From: Gerardo Di Giacomo <gerardo_at_linux.it>
Date: Wed, 06 Feb 2008 19:05:48 +0100

It's true that with MITM you could "poison" the javascript to steal the
key (cookie stealing style) but I think that it's a reasonable risk due
to the "non-enterprise" environment, in which the suite has been thought
for. Stealing the key requires a targeted attack MITM, in a precise moment.

I think it's better to use JaPCrypt then normal HTTP... and don't forget
that all pages "protected" with JaPCrypt won't be indexed by crawlers.
The "main" problem by now is not massive MITM but massive sniffing, and
with this suite the problem of "mass-sniffing" is avoided.

Regards,
  Gerardo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Received on Feb 06 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]