> Because if you're talking about self-signed certs, that's > been discussed previously
They weren't discussed, they were mentioned with the assumption that they won't validate and/or would be easily detected by a prompt to accept them unless they were stolen or bought... that assumption is wrong. It has nothing to do with all the SSL VPN vendors, browser developers - patches, warnings, etc. Best protection? Have a guard stand by every computer on the network and watch each user's every move because it's the 'only' way to keep it from happening. -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 03, 2006 10:35 AM To: CF-Talk Subject: RE: Break it down for n00bs: security problems of non-SSL intrane t? > Again, like I said... I left details out intentionally and I > won't post them now just because you asked. OK. I can understand that you don't want to release this sensitive information to the world. But typically, one could point to something which would describe the existence of a vulnerability without disclosing exactly how to exploit it. And presumably, this would be a big huge deal to all the SSL VPN vendors, browser developers - patches, warnings, etc. So, it seems to me that either (a) you're aware of some otherwise unknown 0day exploit, or (b) all the people using SSL/TLS in their products are collectively hoping that no one notices their fatal flaw until they can patch it. To be clear, are you talking about certificates with a validating signature? Because if you're talking about self-signed certs, that's been discussed previously. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255172 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
