[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] JaPCrypt

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] JaPCrypt
From: Gerardo Di Giacomo <gerardo@xxxxxxxx>
Date: Wed, 06 Feb 2008 19:05:48 +0100

It's true that with MITM you could "poison" the javascript to steal thekey (cookie stealing style) but I think that it's a reasonable risk dueto the "non-enterprise" environment, in which the suite has been thoughtfor. Stealing the key requires a targeted attack MITM, in a precise moment.

I think it's better to use JaPCrypt then normal HTTP... and don't forgetthat all pages "protected" with JaPCrypt won't be indexed by crawlers.The "main" problem by now is not massive MITM but massive sniffing, andwith this suite the problem of "mass-sniffing" is avoided.


Regards,
 Gerardo

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] What makes Yahoo! a good merger candidate?
Next by Date: [Full-disclosure] rPSA-2008-0043-1 icu
Previous by thread: Re: [Full-disclosure] JaPCrypt
Next by thread: [Full-disclosure] What makes Yahoo! a good merger candidate?
Index(es):
- Date
- Thread