On 2012-02-28 11:34 PM, The Fungi wrote:
Your login was successful, but due to recent security concerns we
also require a one-time verification of your personal information.
Please now enter the following...
* Checking Account Number
* Bank Routing Number
* ATM Card Number
* Card
On 02/28/2012 10:42 AM, Marsh Ray wrote:
By forcing the phishing attack to involve the legitimate site, it does
one other thing: it puts the site in a position to require strong mutual
authentication.
Let me clarify one little detail: web browsers will still send the HTTP
request (including
On 2012-02-26 15:45:34 -0600 (-0600), Marsh Ray wrote:
[...]
So if the online banking site required TLS client authentication
with smart cards with on-chip RSA, the situation would be much
different. A MitM who succeeded in impersonating the site to the
user would be unable to replay or
On 02/28/2012 07:34 AM, The Fungi wrote:
Your login was successful, but due to recent security concerns we
also require a one-time verification of your personal information.
Please now enter the following...
Yes, but all of this falls in the category of user authenticates the
website.
So
On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com wrote:
...
Still it might be worth pointing that if Wells Fargo really wanted to forbid
a Trustwave network-level MitM, SSL/TLS provides the capability to enforce
that policy at the protocol level. They could configure their
On Mon, Feb 27, 2012 at 6:08 PM, coderman coder...@gmail.com wrote:
On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com wrote:
...
Still it might be worth pointing that if Wells Fargo really wanted to forbid
a Trustwave network-level MitM, SSL/TLS provides the capability to
On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com wrote:
Still it might be worth pointing that if Wells Fargo really wanted to
forbid a Trustwave network-level MitM, SSL/TLS provides the capability to
enforce that policy at the protocol level. They could configure their web
On 02/26/2012 09:34 AM, Andy Steingruebl wrote:
On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray ma...@extendedsubset.com
mailto:ma...@extendedsubset.com wrote:
Still it might be worth pointing that if Wells Fargo really wanted
to forbid a Trustwave network-level MitM, SSL/TLS provides the
On Sun, 12 Feb 2012, Jeffrey Walton wrote:
(2) Did the other end of the SSL/TLS tunnel also agree to be monitored?
Ding!
Yes, that is the key - and was the key the first time we visited this
subject a few months ago.
When all is said and done, and Jane Doe cube peasant signs away her
On 02/25/2012 05:55 PM, John Case wrote:
When all is said and done, and Jane Doe cube peasant signs away her
life, and the browsers all look the other way and every CA is doing it
... after all of that, does Wells Fargo actually consent to your
bullshit Fortune 30,000 firm monitoring their
Mozilla has issued a statement about MITM certs:
https://blog.mozilla.com/security/2012/02/17/message-to-certificate-authorities-about-subordinate-cas/
(Ack: Paul Hoffman posted this link to g+)
___
cryptography mailing list
cryptography@randombit.net
On Wed, Feb 15, 2012 at 12:49 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Sun, Feb 12, 2012 at 8:17 PM, Steven Bellovin s...@cs.columbia.edu wrote:
On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote:
[Jeffrey Walton noloa...@gmail.com (2012-02-12 10:57:02 UTC)]
(1) How can a company
On 2/13/12 3:43 PM, d...@geer.org wrote:
Two refs, one confirmed, one hearsay
1. J. Beeson, CISO, GE Capital has a standard stump speech,
I don't buy your shoes, why should I buy your computer?
2. Sec. Napolitano is said to have bought the iPad she is
regularly seen with using her own money.
On Sun, Feb 12, 2012 at 8:17 PM, Steven Bellovin s...@cs.columbia.edu wrote:
On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote:
[Jeffrey Walton noloa...@gmail.com (2012-02-12 10:57:02 UTC)]
(1) How can a company actively attack a secure channel and tamper with
communications if there
While I'm not a lawyer and my opinion is in noway authoritive I do not
believe there is any violation. They ay be an accessory to a potential
crime but they themselves did not do the tapping.
Now on the other hand those companies that did the tapping should be
OK for as long as they are clear
On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov
mailli...@krassi.biz wrote:
While I'm not a lawyer and my opinion is in noway authoritive I do not
believe there is any violation. They ay be an accessory to a potential
crime but they themselves did not do the tapping.
Now on the other
On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov
mailli...@krassi.biz wrote:
While I'm not a lawyer and my opinion is in noway authoritive I do not
believe there is any violation. They ay be an accessory to a potential
crime but they themselves did not do the tapping.
I think its a bit
Again, I'm not a lawyer but if somebody legally purchases a gun from
you for a legitimate purpose and then abuse it your are not liable (US
context here).
The same way if somebody purchases this cert to monitor their
employees for data exfiltration (perfectly good reason, if specified
in the
On Sun, 12 Feb 2012 05:57:02 -0500
Jeffrey Walton noloa...@gmail.com wrote:
On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov
mailli...@krassi.biz wrote:
While I'm not a lawyer and my opinion is in noway authoritive I do
not believe there is any violation. They ay be an accessory to a
They also claim in their defense that other CAs are doing this.
Evading computer security systems and tampering with communications is
a violation of federal law in the US.
As the article made quite clear, this particular cert was used to
monitor traffic on the customer's own network, which is
On 02/12/2012 10:24 AM, John Levine wrote:
They also claim in their defense that other CAs are doing this.
Evading computer security systems and tampering with communications is
a violation of federal law in the US.
As the article made quite clear, this particular cert was used to
monitor
On 13/02/12 10:53 AM, Marsh Ray wrote:
On 02/12/2012 10:24 AM, John Levine wrote:
They also claim in their defense that other CAs are doing this.
Evading computer security systems and tampering with communications is
a violation of federal law in the US.
As the article made quite clear, this
On Sun, Feb 12, 2012 at 9:13 PM, Krassimir Tzvetanov
mailli...@krassi.biz wrote:
I agree, I'm just reflecting on the reality... :(
Reality is actually as I described, at least for some shops that I'm
familiar with.
___
cryptography mailing list
On Feb 12, 2012, at 10:26 46PM, Nico Williams wrote:
On Sun, Feb 12, 2012 at 9:13 PM, Krassimir Tzvetanov
mailli...@krassi.biz wrote:
I agree, I'm just reflecting on the reality... :(
Reality is actually as I described, at least for some shops that I'm
familiar with.
The trend is the
I'm sure the trend is currently the other way, yes, but with low-cost
high-bandwidth wireless becoming more common it doesn't really matter,
does it?
And it all depends on the organization and it's risk taking profile.
But to bring this back on topic: I'd rather see draconian corporate
network
25 matches
Mail list logo