[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Python ssl handling could be better...
- To: bk <chort0@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Python ssl handling could be better...
- From: Marsh Ray <marsh@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 28 Feb 2011 11:46:20 -0600
+1 with a cherry on top!
A cipher is a device for converting a plaintext distribution problem
into a key distribution problem.
An ephemeral key-agreement protocol (e.g., Diffie-Hellman) is a device
for converting a key distribution problem into an authentication problem.
Therefore, authentication is primary.
One could say that unauthenticated encryption converts a passive
eavesdropping attack into an active man-in-the-middle attack.
On 02/27/2011 12:58 PM, bk wrote:
>
> - If you have the ability to sniff unencrypted traffic, you also have
> the ability to hijack unauthenticated HTTPS traffic, it just that
> simple.
Of the population of people who login to a computer and try to protect
information, the percentage of those who have ever used tcpdump or
Wireshark is very small. Of those who have looked at a packet capture,
the percentage who have ever experimented with active network attack
tools is even smaller. Nevertheless, there are off-the-shelf systems
that will do it at production scale.
Most of us find it much easier to obtain and view a pcap than set up an
active man-in-the-middle attack scenario. So converting the attacker
from a passive eavesdropper to an active on-line attacker (who probably
had to plan ahead a little bit) sure seems like it would represent an
increase in security.
And maybe it is if you're only defending against the random internet
malware of today. But it's of little use if you need to be concerned
about a targeted attack (i.e., you have, know, or are something worth
defending). Just ask the Iranian government or the Tunisian people.
> - ENCRYPTION IS POINTLESS WITHOUT AUTHENTICATION
Maybe it's even worse than pointless.
1. Insufficiently-authenticated encryption inevitably gives a false
sense of security.
2. Encryption can cause open vulnerabilities to be hidden to passive
network monitoring systems.
3. But attackers are not constrained to be passive. Encryption can cause
active, ongoing attacks to be hidden from monitoring.
Humans, like all living things, have over millions of years evolved
sophisticated built-in mechanisms for recognizing each other. We have so
much authentication going on at an automatic level that we find it very
difficult to judge the magnitude of the task.
This is exactly the type of situation that favors the hackers,
pentesters, and dictators of countries where the ISPs operate under the
Ministry of Information.
Let's not make it so easy that it takes all the fun out of it for them.
- Marsh
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/