On Tue, Feb 24, 2009 at 03:06:21PM -0500, Perry E. Metzger wrote:
> If you expect to be presenting things at that level of detail to
> developers, you're going to lose.
Agreed on this end. However, these are web security people, not mere
web developers. They are very sharp on complicated issues
Clever though this scheme is, man-in-the middle attacks make it no
better than a plain SSL login screen. Since the bad guy knows what site
you're trying to reach, he can use your usercode to fetch the shared
secret from the real site and present it to you on his fake site. It's
true, the fa
Building a reference implementation of a cipher can be an invaluable
aid to writing code. Building a cipher in a spreadsheet, while some
may suggest is strange, is a valid way to effectively describe a
cipher in a visual sense. This has been done before with The
Illustrated DES Spreadshe
John Levine writes:
>Clever though this scheme is, man-in-the middle attacks make it no better
>than a plain SSL login screen.
You don't even need a MITM, just replace the site image on your phishing site
with either a broken- image picture or a message that your award-winning
site-image softw
Cat Okita wrote:
> On Sat, 21 Feb 2009, Peter Gutmann wrote:
>> This points out an awkward problem though, that if you're a commercial
>> vendor
>> and you have a customer who wants to do something stupid, you can't
>> afford not
>> to allow this. While my usual response to requests to do things
>
>This means a site paying attention to such things could notice a
>change in IP address, or, if several users were attacked this way,
>notice repeated connections from the same IP. (Granted the MITM
>could distribute the queries over a botnet, but it raises the bar
>somewhat.)
>
>I have no idea if
Yet more internal NSA history released to the public:
http://www.nsa.gov/public_info/declass/oral_history_interviews.shtml
--
Perry E. Metzgerpe...@piermont.com
-
The Cryptography Mailing List
Unsubscribe by se
On Wed, 2009-02-25 at 14:53 +, John Levine wrote:
> You're right, but it's not obvious to me how a site can tell an evil
> MITM proxy from a benign shared web cache. The sequence of page
> accesses would be pretty similar.
There is no such thing as a "benign" web cache for secure pages.
If y
On Wed, 25 Feb 2009 10:04:40 -0800
Ray Dillinger wrote:
> On Wed, 2009-02-25 at 14:53 +, John Levine wrote:
>
> > You're right, but it's not obvious to me how a site can tell an evil
> > MITM proxy from a benign shared web cache. The sequence of page
> > accesses would be pretty similar.
>
John Levine writes:
>> Clever though this scheme [kittens] is, man-in-the
>> middle attacks make it no better than a plain SSL
>> login screen.
Peter Gutmann wrote:
> You don't even need a MITM, just replace the site
> image on your phishing site with either a broken-
> image picture or a messag
10 matches
Mail list logo