BTW, the cert is not 128 bits, that would be trivially small for a
public key. The public key is used to verify the identity of the
server (i.e. does it match the machine name? Can it be validated
through Public Key Infrastructure (PKI)?). The tunnel may use 128 bit
AES, but the cert is using some form of public key crypto using a
public/private key pair.
Note that there are 3 negotiations between browser and server:
encryption protocol (data protection), key negotiation protocol (how
to create a secret key for use in encryption) and the signing
mechanism (to detect tampering). You can detect the possible settings
for these on your server using SSLDigger (www.foundstone.com, free
tools). MITM proxies break none of these. They break the
authentication of the remote server via the PKI, the tunnels are still
secure, we just generate a way to open up the tunnel to peak inside.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- George Orwell, 1945
On Feb 8, 2008, at 4:13 PM, Fennell, Mark P. wrote:
<disbelief>
lemme get this straight. you can decrypt SSL traffic into a
human readable format?
you can crack a 128-bit certificate? what about a high-grade AES
256-bit pipe?
</disbelief>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Friday, February 08, 2008 4:01 PM
To: [email protected]
Subject: Re: [ACFUG Discuss] will Ajax go away (was JVM version and
ColdFusion)
If secure AMF is just AMF over SSL... its easy enough to modify in
transit.
Darrin, if you or your organization wants a demo of why these things
are insecure, let me know. I'll be more than happy to do some live
web hacking for you. (And yes, Charlie, I haven't forgotten about
you and the meetup...)
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Dissent is the purest form of patriotism."
--Thomas Jefferson
On Feb 8, 2008, at 3:55 PM, Dean H. Saxe wrote:
*cough* BS.
Flash can be decompiled.
I can watch all of the traffic. Even over SSL.
I can modify AMF (I'd have to look @ secure AMF).
If you'd like to challenge me to hack the app, let me know. I'm up
for it. ;-)
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell
people what they do not want to hear."
-- George Orwell, 1945
On Feb 8, 2008, at 11:52 AM, Darin Kohles wrote:
You can always build a Flex (or Flash for that matter) application
that can be put in you page as a 1px by 1px (I'm not sure if 0 by 0
will work) that has nothing on the stage with wmode="transparent".
This application can now act as your portal between the browser
via JS
using the External Interface (or fsCommand going back to Flash ~6).
Then your "invisible" Flex/Flash app can leverage all the connection
types available (AMF/SecureAMF, Webservice, HttpService etc...) in a
manner that is not easily accessible to any hacker (you can hide all
kinds of security checks within this app).
I've always wanted to do a bench mark of this type of app side by
side
with standard Ajax, but the bottom line is that the only browser
specific code would be in how the returned data is applied to effect
the client content.
On Feb 8, 2008 11:20 AM, shawn gorrell <[EMAIL PROTECTED]> wrote:
Charlie, my main issues with AJAX are dealing with cross-browser
issues, and
security.
AJAX exposes some of the most annoying cross-browser DHTML sort
of things.
Using libraries and frameworks can insulate you from that to a
degree, but
not always completely. I've got a customer doing things with
Google Maps and
we've had some differences between IE and FF that have been
difficult to
solve.
People have gotten so excited about using AJAX that they have
forgotten
basic security principles (things like validating input). I
recently read an
article that discussed the security holes in the more commonly used
frameworks, so the issue isn't just with roll your own AJAX, it
is more
pervasive.
But, those things said, ultimately I think it is a step forward
in making a
richer browser experience (not as much as Flex though). There are
just some
fleas on the dog that folks should be aware of in advance.
----- Original Message ----
From: Charlie Arehart <[EMAIL PROTECTED]>
To: [email protected]
Sent: Friday, February 8, 2008 10:58:47 AM
Subject: [ACFUG Discuss] will Ajax go away (was JVM version and
ColdFusion)
That seems a curious statement, Forrest, and I'm sure some would
enjoy a
bit of discussion on it. For those who weren't following closely,
he had
asked first about some challenges using a CFX_google custom tag,
and in the
replies he was told that it's quite old and instead Google
favors some Ajax
APIs instead. Forrest replies he hoped the "Ajax thing would just
go away".
So, do you realize that Ajax is merely a way to make browsers
smarter? It
enables them to make calls to remote servers. Sure, we could do
that in the
past with Java applets, ActiveX controls, Flash, and even plain
Javascript.
And we could of course do it from the server using either REST or
SOAP apis.
Ajax is just a simplified API to enable that very javascript-based
client-server interaction. For those who need to talk to servers
from
clients (either because they can't or don't want to involve a
server to
proxy the communications for them), we don't want them to go back
to Java
and ActiveX, do we? :-) And while we may wish everyone would use
Flex, it's
just not likely. Many will, for the much larger problem space it
solves, but
for the average web developer, it's not really as simple as
dropping in some
AJAX API calls.
If Google (or other vendors) want to create a way for people to
connect, and
they want to make it work regardless of what web app server
platform people
use (and as well for those who have no server), and they provide an
Ajax-based API to what (I suppose are otherwise REST-based)
services, that's
seems to be just being smart, widening the pool of possible users.
Look at it another way (for us CFers), they (like Amazon, Ebay,
and others)
could instead just document calling from Java, ASP.NET, and PHP.
They tend
to not go that one step further to include CF. At least by their
offering a
platform-agnostic solution that doesn't require any server-side
processing,
they've helped more than just those who have no server to make
calls from.
Just some thoughts. I'm not fanatical about all this, and I may
well myself
be missing a point. But since this is the ACFUG "discussion"
list, that
comment seemed one worth discussing. :-)
/charlie
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Forrest C.
Gilmore
Sent: Thursday, February 07, 2008 5:30 PM
To: [email protected]
Subject: Re: [ACFUG Discuss] JVM version and ColdFusion
Thanks, Charlie. Your comments were very helpful!
I have been hoping that this AJAX thing would just go away, as it
seems to
be to be a step backwards, but it looks like it will be around a
while
longer!
Forrest C. Gilmore
========================
Charlie Arehart wrote:
Forrest, I realize you've perhaps abandoned the effort, but I'll
throw
out some clarification if it's useful, first about the JRE/CFX
issue,
then about calling the google search APIs.
<snip>
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
