On Tue, Feb 24, 2009 at 03:06:21PM -0500, Perry E. Metzger wrote:
If you expect to be presenting things at that level of detail to
developers, you're going to lose.
Agreed on this end. However, these are web security people, not mere
web developers. They are very sharp on complicated issues
Clever though this scheme is, man-in-the middle attacks make it no
better than a plain SSL login screen. Since the bad guy knows what site
you're trying to reach, he can use your usercode to fetch the shared
secret from the real site and present it to you on his fake site. It's
true, the
Building a reference implementation of a cipher can be an invaluable
aid to writing code. Building a cipher in a spreadsheet, while some
may suggest is strange, is a valid way to effectively describe a
cipher in a visual sense. This has been done before with The
Illustrated DES
John Levine jo...@iecc.com writes:
Clever though this scheme is, man-in-the middle attacks make it no better
than a plain SSL login screen.
You don't even need a MITM, just replace the site image on your phishing site
with either a broken- image picture or a message that your award-winning
Cat Okita wrote:
On Sat, 21 Feb 2009, Peter Gutmann wrote:
This points out an awkward problem though, that if you're a commercial
vendor
and you have a customer who wants to do something stupid, you can't
afford not
to allow this. While my usual response to requests to do things
insecurely
This means a site paying attention to such things could notice a
change in IP address, or, if several users were attacked this way,
notice repeated connections from the same IP. (Granted the MITM
could distribute the queries over a botnet, but it raises the bar
somewhat.)
I have no idea if sites
Yet more internal NSA history released to the public:
http://www.nsa.gov/public_info/declass/oral_history_interviews.shtml
--
Perry E. Metzgerpe...@piermont.com
-
The Cryptography Mailing List
Unsubscribe by
On Wed, 2009-02-25 at 14:53 +, John Levine wrote:
You're right, but it's not obvious to me how a site can tell an evil
MITM proxy from a benign shared web cache. The sequence of page
accesses would be pretty similar.
There is no such thing as a benign web cache for secure pages.
If you
On Wed, 25 Feb 2009 10:04:40 -0800
Ray Dillinger b...@sonic.net wrote:
On Wed, 2009-02-25 at 14:53 +, John Levine wrote:
You're right, but it's not obvious to me how a site can tell an evil
MITM proxy from a benign shared web cache. The sequence of page
accesses would be pretty
John Levine jo...@iecc.com writes:
Clever though this scheme [kittens] is, man-in-the
middle attacks make it no better than a plain SSL
login screen.
Peter Gutmann wrote:
You don't even need a MITM, just replace the site
image on your phishing site with either a broken-
image picture or a
10 matches
Mail list logo