[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Python ssl handling could be better...
- To: full-disclosure@xxxxxxxxxxxxxxxxx, Charles Morris <cmorris@xxxxxxxxxx>
- Subject: Re: [Full-disclosure] Python ssl handling could be better...
- From: bk <chort0@xxxxxxxxx>
- Date: Wed, 2 Mar 2011 09:52:40 -0800
On Mar 2, 2011, at 6:23 AM, Charles Morris wrote:
>> - ENCRYPTION IS POINTLESS WITHOUT AUTHENTICATION
>> BTW there really isn't a security difference between
>> encrypted-but-unauthenticated traffic and just plain unencrypted traffic.
>> The only "attacker" you're defeating is a casual observer,
>
> Fail. I hear the blackhats cackle as you switch to telnet. <snip a bunch of
> rambling that basically just says "MITM is hard">
It's hard to do if you're starting from zero and have to write your own tools.
It's not hard to do when you can just download something off the Internet,
which is the reality we're dealing with. Jay Beale released a tool to do this
years ago at Toorcon. There are many others. Game over on that discussion.
>
> Organized MITM by governments and backbone providers? A resounding YES
> this is an issue.
> MITM by disgruntled employee X or blackhat trudy? Not so much.
We should be designing systems for a high level of assurance, not "a little bit
better than awful." Besides, with the speed at which technology moves and the
innovativeness of users, products should be made robust so they can stand up to
unanticipated usage. For example, if someone went out and wrote a Twitter
client based on python-twitter and it became popular in North Africa, many
people would falsely think their revolutionary conversations are "secure"
because it "uses SSL", but in fact the oppressive governments can trivially
sniff all the traffic (and possibly impersonate trusted users?).
An attacker who is motivated to cause harm will find the tools to do what they
want, so MITM is not a high bar. There are available tools to do it that don't
require expertise. As I said previously, the only attacker defeated by
unauthenticated SSL is the one who wasn't going to cause much harm any way.
>
>
>>> Maybe it's even worse than pointless.
>
> It's the idiot user's fault if they don't understand the difference
Ahh yes, the chorus of nerds everywhere. Guess what, most people just do their
job, that they're good at, and expect the technology to do the right thing.
The assume computer professionals are as thoughtful about making things easy to
use and safe as the designers of microwaves, lawn mowers, paper shredders,
etc... With those things you have to try really hard to hurt yourself or cause
damage. With unsafe SSL you're hurting yourself by default. That would be
akin to a microwave melting your eyes if you were "too stupid to wrap the
appliance in protective shielding."
>
> In short-
> Encryption without authentication is ALWAYS BETTER than no encryption
It's not. Would you like to jump out of an airplane with a parachute that you
THINK will work, but doesn't, or one that actually will work? You'd make a
different choice if you knew the chute wouldn't open.
> Authentication without encryption is ALWAYS BETTER than no authentication
Not if it can be captured/replayed to impersonate you in the future. WTF are
you smoking?
> Encryption with authentication is ALWAYS BETTER than either of the
> above two scenarios
>
Even a broken clock...
--
chort
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/