> -----Original Message----- > From: Mikael Olsson [mailto:[EMAIL PROTECTED]] > > Maybe I should have just kept my trap shut about my views > in this area and spared myself the pain :)
It's not pain, it's the cut and thrust of lively debate, and you love it. [...] > Ben Nagy wrote: > > > > [dangers of administrating your firewall via HTTPS] > > > > What's your attack scenario for this, Mike?[...] > > A recent case in point is, as a previously pointed out, the > vulnerability that arises from hitting the back button in IE: > http://online.securityfocus.com/archive/1/267561 > > Old vulnerability variations include the equivalent of doing > "history(-1)" in a script. > > I suppose we don't have to rehash all the browser > vulnerabilities to date? :) OK, I see how that could suck (although it's more likely to just compromise the management station, but yes, it's easily extensible into something bad. Down with javascript, ra ra ra. You still didn't address the question of using pure Java in a browser, though. [...] > > Basically, I want standards driven GUIs that use crypto protocols > > I know everything about - this is why I'm instinctively attracted > > to HTTPS, even though I know HTTP sucks, and I know that browsers > > also suck. > > As far as the crypto goes, this basically limits you to > IPsec, SSL or SSH. IPsec is doable in some setups, but is > probably too complicated for "most" organizations. And probably too complicated to be really secure, but it'll do until something better comes along. Since, for most GUIs, we only need a Secure Socket Layer (so to speak) I'd probably vote for TLS. > SSL or SSH > are less > complicated setup-wise, but still come with a fairly large > code bulk. Although granted: a lot of it can probably be > stripped out. Minimal SSL/TLS can't be _that_ big, c'mon. [...] > Personally speaking, I trust our framework more than I trust > SSH, SSL or IPsec, but, then again, you know nothing of what > I trust Which is reasonable, since it _should_ be easy to write a really basic station-to-station protocol that doesn't need to be able to negotiate a million options. It's just that it isn't, apparently, _that_ easy. Sadly, I still have no good comeback to the fact that it probably won't be safe to use a "standard" browser based app, maybe not even a Java one, until IE is either fixed or has a button marked "Make me a really dumb but safe browser". But, dammit, Java in a browser with a TLS connection to a secure HTTPS only server on the firewall _should_ be the right way to do it! *sulk* Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
