Re: [Full-disclosure] Secure HTTP
On Fri, 24 Mar 2006 11:58:35 +0200, Q Beukes said: i just dont want our clear text http traffic to be sniffed which has been a know problem on our network a few times. If the text is something that you give a flying fsck in a rolling donut about the sniffability, it shouldn't be clear text http. Do the frikking SSL correctly on port 443 like the RFCs intend rather than cooking up some half-assed proxy scheme to work around it. insert standard if I had a nickle for every time somebody proposed a partial solution for the wrong part of the problem instead of doing it in the well-understood correct way in the first place, I'd be long since retired speech here pgpm4M3wIKKlM.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secure HTTP
From: Q Beukes [EMAIL PROTECTED] Subject: Re: [Full-disclosure] Secure HTTP Date: Fri, 24 Mar 2006 11:58:35 +0200 nah. i just dont want our clear text http traffic to be sniffed which has been a know problem on our network a few times. To be honest, if you have an unauthorised network sniffer on your own network then you probably have bigger problems than this. If the sniffer is authorised and is being used to stop network abuse then trying to avoid it would probably be quite obvious. mxb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Secure HTTP
Wait, you mean security (solely) through obscurity doesn't work?? :) /TJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Ng Sent: Friday, March 24, 2006 10:43 AM To: [EMAIL PROTECTED] Cc: Full Disclosure Subject: Re: [Full-disclosure] Secure HTTP On 3/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Do the frikking SSL correctly on port 443 like the RFCs intend rather than cooking up some half-assed proxy scheme to work around it. insert standard if I had a nickle for every time somebody proposed a partial solution for the wrong part of the problem instead of doing it in the well-understood correct way in the first place, I'd be long since retired speech here You would be more than rich. You won't believe the number of security improvements I've had to knock down. One application had all the ports reassigned to all non standard ports. When I asked why such a brain dead thing was done, they said it was for security, and that it would be too much work to find these ports. Then I showed them nmap with the port identification option. Their jaw dropped to the floor. They had *NO* security. Anonymous ftp world writable, http with no id or password allowing web page updating, telnet with no id or password. Needless to say, a redesign was required. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Secure HTTP
Hey, Are their any open source proxy/tunneling software that makes it possible to surf both HTTP/HTTPS over an SSL/HTTPS connection. In other words I want all my http traffic to be encrypted... Thx Q Beukes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secure HTTP
Le jeudi 23 mars 2006 à 15:55 +0200, Q Beukes a écrit : Are their any open source proxy/tunneling software that makes it possible to surf both HTTP/HTTPS over an SSL/HTTPS connection. Use PPP over stunnel, with a patch to support CONNECT method through proxies : http://www.stunnel.org/examples/pppvpn.html You can use OpenVPN as well, that supports both CONNECT and HTTP AUTH. Or you can use any HTTPS proxying service, such as anonymizer.com... -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secure HTTP
Ok, but all his traffic on his network will be encrypted... no ? If the sites you are visiting don't support encryption, you are still going to end up with data in clear-text on the wire. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secure HTTP
On 3/23/06, Julien GROSJEAN - Proxiad [EMAIL PROTECTED] wrote: Ok, but all his traffic on his network will be encrypted... no ? If the sites you are visiting don't support encryption, you are still going to end up with data in clear-text on the wire. Sure. It depends on who and what he is worried about. - Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
FW: [Full-disclosure] Secure HTTP
I did a simelar thing and used it to get around my school's filtering system. I'd wager he's trying to do something like this ;) Unfortuatly, what Julian says is correct, you'll need to bounce the connection through another server with stunnel forwarding the (now encrypted) connections back to your gateway. Which isn't too bad, all you need a halfway decent shell account (or just get a damn server) that'll allow backgroup procs. Just my 2 pence. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Eaton Sent: 23 March 2006 15:40 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Secure HTTP On 3/23/06, Julien GROSJEAN - Proxiad [EMAIL PROTECTED] wrote: Ok, but all his traffic on his network will be encrypted... no ? If the sites you are visiting don't support encryption, you are still going to end up with data in clear-text on the wire. Sure. It depends on who and what he is worried about. - Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secure HTTP
Brian Eaton wrote: On 3/23/06, Julien GROSJEAN - Proxiad [EMAIL PROTECTED] wrote: Ok, but all his traffic on his network will be encrypted... no ? If the sites you are visiting don't support encryption, you are still going to end up with data in clear-text on the wire. Sure. It depends on who and what he is worried about. - Brian Maybe a valid scenario might be surfing Pr0n from work? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: FW: [Full-disclosure] Secure HTTP
And to think you were the guy who started the 'noise on the list' thread. My mailing list filter has your spelling mistakes written all over it. You're the weakest link, good bye! On 3/23/06, Edward Pearson [EMAIL PROTECTED] wrote: I did a simelar thing and used it to get around my school's filteringsystem. I'd wager he's trying to do something like this ;) Unfortuatly, what Julian says is correct, you'll need to bounce theconnection through another server with stunnel forwarding the (nowencrypted) connections back to your gateway. Which isn't too bad, all you need a halfway decent shell account (or just get a damn server)that'll allow backgroup procs.Just my 2 pence.Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/