On Sat, 13 Oct 2007 10:25:46 EDT, full-disclosure@xxxxxxxxxxxx said: > No idea you got an idea big guy? No, merely pointing out a under-specification of the problem. There's any number of ways that it *could* be set up - the question is what the *desired* behavior is. Blindly rewriting everything to https: is *doable*, but results in some ugly corner cases. Now, Kristian's *original* request was "you don't want to leak unencrypted data". The reasonable response is - is it OK to leak unencrypted, *unimportant* data (such as hitting www.cnn.com to check the news while you take a short break)? In fact, a *clever* pen tester may in fact *want* to have at least *some* innocuous port 80 traffic, just so they don't stand out because they're *only* doing port 443 traffic.... (And the *really* sneaky pen tester will maintain a pseudo-random stream of hits to CNN and google and the like, and tunnel their *important* data out via SSL to some site with a pr0n-for-pay-ish name like www.llamas-r-hot.com, because you *expect* to see that sort of traffic distrbution... ;) So while "do everything over SSL" may sound like a good first cut (and in fact *is* a good start), the overall question is "what data do you want to conceal, and from whom, exactly?" > On Fri, 12 Oct 2007 22:45:12 -0400 Valdis.Kletnieks@xxxxxx wrote: > >Same problem still - you proxy, you rewrite it to port 443 - and > >the destination > >doesn't *have* anything at port 443. What should your Apache do? And anybody who has been doing security for more than a week or so *knows* that failure to deal with corner cases like "but there's nothing *listening* on port 443" is a *major* source of bugs and places to find your 0-days.
Attachment:
pgpgywFOpmc3x.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/