RE: Configuration Arguments... In House...

[Jose Nazario]

On Sat, 3 Feb 2001, Benjamin Tomhave wrote:

> SSL is only safe if the initial handshake is missed by the sniffer.
> A tool came out last year called SpyNet/PeepNet (I believe eEye
> purchased the rights) that not only acted as a software sniffer for
> your Windows machine, but it also, with the click of a button, would
> allow you to recreate sessions (web, telnet, ftp, etc.), including SSL
> encrypted connections.

ssldump can also do this. if openssl is installed, it can print out the
client and server public keys in PEM mode. if provided with the session
keys (from a symmetrical cipher) it can decrypt the traffic. very nice ...

> Just remember: why break the algorithm when you can simply compromise
> the keys?

if you have control over it, chose strong algorithms, then. or rather,
force them. long key lengths, *good* keys (ie avoi weak or biased keys),
chained modes, etc...

just adding some info is all.

____________________________
jose nazario                                                 [EMAIL PROTECTED]
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]