What do you mean... what do I mean by local access? :-) I mean local access as in opposite of remote access... as in physically plugged into the network in question.
You are thinking of vulnerabilities in the make up of certs/SSL and there arent any (that I know of) and that plays into it as well by keeping the client user comfortable and happy thinking everything is secure. Dont think of vulnerabilities... think of how well certs and SSL work and how most people see that httpS:// and they are put at ease and are content to give you everything you ask for after that. Now if you can fake a cert and have the client use yours instead of the server's (the whole while the client and REAL gateway believe YOU are the other) you can easily get at the payload just as easily as if werent encrypted? That is the key and that is easily done without prompting anyone to accept anything. (and I guess the part you dont believe can be accomplished?) The only thing left to give you away would be the actual IP address. If someone saw that... say... supersecureremotesite.com was a 10.10.10.10 or 192.168 address (and knew what they were looking at) they might get a little suspicious but who is going to check the IP address of a commonly visited, secure site when they see no need to? And yes, IPs are flashed in the status bar of browsers while downloading content sometimes so there's another potential give away. Before this conversation, you and anyone else would have simply accepted a cert prompt from an SSL enabled GMail and logged in. You definitely wouldn't have had a problem if you werent asked to accept the cert. > And in the real world I live in, when I visit client sites, they > Are often quite secure, to the point where moving a machine from one > wall jack to another requires administrative intervention (and > triggers alarms if you do it yourself). That most definitely is NOT the real world. I would have to call that a complete exaggeration. Sure, maybe you've seen one particular place that secure and thats awesome but everywhere you go isn't like that or even close. Sorry. > I'm familiar with using, say, Ettercap to capture HTTPS > sessions, but again, I've never seen an example where > this didn't rely on presenting an invalid certificate to the user. Of course it requires presenting an invalid cert. How else could it be done? They key is getting the cert accepted without user interaction. > If by "local access" you mean access (and potential control) of > an endpoint in an SSL conversation, then yeah, you've just described > the whole problem with "clientless" SSL VPNs in a nutshell. But that's > not what anyone here (other than you, perhaps) is talking about, as far > as I can tell. No, I believe you are the only person to bring that up. It's pretty much been about MiTMA's and reading traffic and controlling it rather than an actual machine since the beginning as far as I can tell... Short of a step by step how-to, that's the best I can do for you. You'll either move on with your life and continue to think everything is fine and dandy as long as SSL is implemented 'correctly' and you don't have to hit 'accept' on a cert prompt or you'll try to raise your network's security level to the level you mentioned with alarms for unplugged/plugged in machines. I have to wonder though... what happens when you boot up, shut down or disable/enable a NIC? Is there an alert every time any of that happens? That would be annoying... Useful... but annoying lol -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.12/461 - Release Date: 10/2/2006 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255282 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
