Simon Smith wrote:
Ok, so what's your alternative?
[...]
Some form of challenge response? If you can already perform a man in
the middle attack, than challenge response is just as vulnerable.
Just connect to the server when the client hits you, and pass them the
challenge you recieved. Use the credential yourself, and pass them a
failure. When they try again, connect them to the server.
You're right again. Does everyone here think that the majority of
companies hire security aware people?
We're not talking about general staff, we're talking about your firewall
admin. If your firewall admin doesn't care about security you've got
much bigger problems. Which appears to be the case...
\a
--
Andrew Simmons // MessageLabs Security Team
Technical Security Consultant
MessageLabs: Be certain
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/