Full Disclosure: Re: JaPCrypt

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Re: JaPCrypt

From: Gerardo Di Giacomo <gerardo () linux it>
Date: Wed, 06 Feb 2008 19:05:48 +0100

It's true that with MITM you could "poison" the javascript to steal thekey (cookie stealing style) but I think that it's a reasonable risk dueto the "non-enterprise" environment, in which the suite has been thoughtfor. Stealing the key requires a targeted attack MITM, in a precise moment.

I think it's better to use JaPCrypt then normal HTTP... and don't forgetthat all pages "protected" with JaPCrypt won't be indexed by crawlers.The "main" problem by now is not massive MITM but massive sniffing, andwith this suite the problem of "mass-sniffing" is avoided.


Regards,
 Gerardo

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

JaPCrypt Gerardo Di Giacomo (Feb 06)
- Re: JaPCrypt coderman (Feb 06)
  - Re: JaPCrypt T Biehn (Feb 06)
    - Re: JaPCrypt T Biehn (Feb 06)
- <Possible follow-ups>
- Re: JaPCrypt Gerardo Di Giacomo (Feb 06)
  - Re: JaPCrypt coderman (Feb 06)
    - Re: JaPCrypt Valdis . Kletnieks (Feb 06)
    - Re: JaPCrypt Epic (Feb 06)
    - Re: JaPCrypt Christoph Gruber (Feb 06)
    - Re: JaPCrypt Valdis . Kletnieks (Feb 06)
- Re: JaPCrypt Gerardo Di Giacomo (Feb 06)