Anonymous

Andy Walker wrote:

> Nomen Nescio wrote:
>
> >No, Tor doesn't change the fact that SSL has safeguards against MITM
> >attacks built into it. You're misunderstanding something you've read,
> >and you're spreading FUD as a result.
>
> Guess again skippy, we do it in-house to scan SSL sessions for data
> leaks and malicious content.

With the proxy running under the 5 versions outdated installation of PHP
you're still using? ;-)

Here's a clue: It doesn't work. Not without exerting physical control
over client softwares and the certificates they accept it doesn't
anyway. You conveniently left that part out, the part about you
mandating security policies, or you're just flat out flinging lies
hoping something will stick.

If you own the client you can make it do anything you want just like
inattentive users can. Accept any bogus certificate you offer, skip any
and all security checks, etc. And it's trivial to proxy SSL connections
themselves. You can even block connections you can't monitor so that
you force your users to use your certificates even if they do figure
out how to reset your broken security to defaults.

Hell, for that matter, readers can use something as simple as stunnel to
proxy SSL certificates locally and do the exact same thing as an
experiment, using a certificate they created themselves and manually
authorized in some client. Works just the same.

Of course not one bit of any of that has anything at all to so with the
subject at hand, so all you've really done here is yap about nothing of
any import. We're not talking about local network administrators
auditing and controlling installed software. Now are we? Hmmmmm??

Andy Walker

Anonymous wrote:

>Andy Walker wrote:
>
>> Nomen Nescio wrote:
>>
>> >No, Tor doesn't change the fact that SSL has safeguards against MITM
>> >attacks built into it. You're misunderstanding something you've read,
>> >and you're spreading FUD as a result.
>>
>> Guess again skippy, we do it in-house to scan SSL sessions for data
>> leaks and malicious content.
>
>With the proxy running under the 5 versions outdated installation of PHP
>you're still using? ;-)
>
>Here's a clue: It doesn't work. Not without exerting physical control
>over client softwares and the certificates they accept it doesn't
>anyway. You conveniently left that part out, the part about you
>mandating security policies, or you're just flat out flinging lies
>hoping something will stick.
>
>If you own the client you can make it do anything you want just like
>inattentive users can. Accept any bogus certificate you offer, skip any
>and all security checks, etc. And it's trivial to proxy SSL connections
>themselves. You can even block connections you can't monitor so that
>you force your users to use your certificates even if they do figure
>out how to reset your broken security to defaults.
>
>Hell, for that matter, readers can use something as simple as stunnel to
>proxy SSL certificates locally and do the exact same thing as an
>experiment, using a certificate they created themselves and manually
>authorized in some client. Works just the same.
>
>Of course not one bit of any of that has anything at all to so with the
>subject at hand, so all you've really done here is yap about nothing of
>any import. We're not talking about local network administrators
>auditing and controlling installed software. Now are we? Hmmmmm??

You really don't get it, do you? If I load a certificate for ANY site
on a proxy and you connect to it, I can make it look like you are
connecting to the site you intended to connect to. True, I can't
change the original information on the originating CA, but then your
client won't be looking for the real CA anyway because the cert is
signed by one of my bogus authorities. Better still, if I control
your DNS I can make your client think I've got a honest to dog EV Cert
with the green address bar and the feel good "verified by" bullshit.
Does this mean that someone with enough of a clue couldn't detect it?
No, but then there are so many clueless people out there it would
probably fool 99.9% of them.

Joan Battaglia

On Sun, 28 Oct 2007 00:21:24 -0400, Andy Walker wrote:
> Does this mean that someone with enough of a clue couldn't detect it?
> No, but then there are so many clueless people out there it would
> probably fool 99.9% of them.

It would fool me. I don't know what to look for.
I just used to say yes to all those popups.

Krazee Brenda

On Sat, 27 Oct 2007 21:36:06 -0400, Andy Walker wrote:

> Nomen Nescio wrote:
>
>>No, Tor doesn't change the fact that SSL has safeguards against MITM
>>attacks built into it. You're misunderstanding something you've read,
>>and you're spreading FUD as a result.
>
> Guess again Skippy, we do it in-house to scan SSL sessions for data
> leaks and malicious content.

Peanutbutterware
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

Ari

On Sun, 28 Oct 2007 06:54:36 +0100, Fritz Wuehler wrote:

> SSL certificates rely on the integrity of trusted CAs. Verisign signs your
> certificate request for foo.bar.com only if they can verify (veri-sign,
> clever, eh?) your authority over the real foo.bar.com. They won't sign a
> certificate for your little proxy scheme.
>
>> Better still, if I control
>> your DNS I can make your client think I've got a honest to dog EV Cert
>> with the green address bar and the feel good "verified by" bullshit.
>
> Worse still, it would not be valid because you simply do not possess the
> secret key tied to the certificate signed by a trusted CA.

Which can't be trusted completely in the first place.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/