[Dshield] 0wnlng Windows machines

Darren Spruell phatbuckett at gmail.com
Mon Feb 26 14:37:09 GMT 2007


On 2/25/07, Tony Earnshaw <tonni at hetnet.nl> wrote:
> FWIW use https not for certified authentication, but purely to encrypt
> all traffic between the site and the client; it is webmail, after all.

Fair enough, however even the server authentication portion of SSL has
a tie-in to the encryption portion. With encryption, a primary thing
you're worried about is confidentiality of the data. Encryption alone
won't keep your data secret from a third party if that third party can
perform a man in the middle attack and intercept connections between
the server and client. The server will happily encrypt data between
itself and the attacker, and the client will gladly encrypt data
between itself and the attacker, allowing the attacker to see the
communication in cleartext. Therefore, your efforts to keep the
communications secured fall apart. For this reason, validation of the
server certificate is important to data confidentiality as well - the
attack fails when the client tries to validate that it is about to
carry on secure communications with the webmail server and the
certificate fails to validate properly. (In theory; the effectiveness
of this measure has a lot to do with the understanding of the client
that they have a hijacked connection and shouldn't just click yes to
continue anyway.)

DS


More information about the list mailing list