(That's not quite as momentous as it seems, for reasons given further down).
What happened
-
I've finally (it took more than a month to get a response) managed to get hold
of the General Technology Note and General Software Note from NZ's version of
the Wassenaar control lists (the
Except that if you are paranoid enough to be worried about some
unknown entity flooding your machine with network packets to
manipulate the output of /dev/urandom, you are likely to not
trust Intel to do RNG in such a way that it can't be fooled with.
And if you're that paranoid,
It's my understanding that in order to exploit this, you'd have to essentially
set yourself up as a proxy after sending the RDP advert If this is the case,
wouldn't the fact that the man in the middle did not have the cert that
corresponded to the domain name cause at least one warning for most
In message [EMAIL PROTECTED], "MIKE SHAW" writes:
It's my understanding that in order to exploit this, you'd have to essentiall
y
set yourself up as a proxy after sending the RDP advert If this is the case,
wouldn't the fact that the man in the middle did not have the cert that
"Steven M. Bellovin" [EMAIL PROTECTED] writes:
The L0pht has issued a new advisory for an routing-type attack that can,
they say, allow for man-in-the-middle attacks against SSL-protected sessions
(http://www.l0pht.com/advisories/rdp.txt).
The implication -- that there's a flaw in SSL -- is
"Steven M. Bellovin" [EMAIL PROTECTED] writes:
Now, this does require that the CAs that your browser trusts follow
the Common Name=domain name convention, but that's just a special
case of trusting your CAs.
The attacker could also present a certficate from a fake CA with an
Right. But to do that you would most have to install your
homemade CA root cert on their browser, which would probably tip off
most users (at least a few customer would call clueless as to how to install
a CA--I know ours would). The only CAs with commonly accepted root certs
wouldn't let you
In message [EMAIL PROTECTED], EKR writes:
"Steven M. Bellovin" [EMAIL PROTECTED] writes:
Now, this does require that the CAs that your browser trusts follow
the Common Name=domain name convention, but that's just a special
case of trusting your CAs.
The attacker could also present
I haven't looked at the l0pht page yet, but you should be aware that the
browser checks the certificate so the user doesn't have to, under most
circumstances. The browser will display an alert if the hostname in the URL
doesn't matche the commonName in the certificate or if the certificate is
not
"Steven M. Bellovin" [EMAIL PROTECTED] writes:
The obvious protection is for users to check the certificate. Most users, of
course, don't even know what a certificate is, let alone what the grounds are
for accepting one. It would also help if servers used client-side
certificates for
"Steven M. Bellovin" wrote:
The obvious protection is for users to check the certificate. Most users, of
course, don't even know what a certificate is, let alone what the grounds are
for accepting one. It would also help if servers used client-side
certificates for authentication, since
At 02:39 PM 8/11/99 -0400, Henry Spencer wrote:
And will those hardware RNGs be subject to export control? Betcha they
will, assuming export control survives legal challenges. If this isn't
"enabling technology", I don't know what is...
Hey, there are *legitimate* civilian uses for RNGs. For
Um, pardon my ignorance, but what is the point of a diskless,
keyboardless computer that requires such high security? If the only
interface is the network, what good is it? I can see being diskless
(although why anyone would build a diskless machine in today's world,
I have no idea -- it
Yo Derek!
I know a lot of people that use diskless, keyboardless computers
as routers and terminal servers. I think a few small companies like
Cisco, Ascend, Bay Networks, etc. make these things. :-)
They have even been known to sell them as VPN gateways to encrypt
local LAN traffic as they
Can anyone please put up a reference
to this International Emergency
Economic Powers act?
Thanks!
Ern
- Original Message -
From: Robert Hettinga [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Friday, August 13, 1999 4:40 PM
Subject: IP: Ho hum... State of Emergency
On 14 Aug 1999, Derek Atkins wrote:
Routers and Firewalls are not IPSec endpoints...
Firewalls can easily be IPSEC endpoints, if they double as security
gateways, which is likely to be common. (Making your firewall speak
IPSEC is considerably easier than making all the equipment behind it
do
On 13 Aug 1999, Derek Atkins wrote:
Um, pardon my ignorance, but what is the point of a diskless,
keyboardless computer that requires such high security? If the only
interface is the network, what good is it?
There are gadgets called "routers" and "firewalls" whose whole reason to
exist is
The attacker could also present a certficate from a fake CA with an
appropriate name -- say, "Netscape Security Services", or something that
Right. In which case Netscape brings up a different dialog which
says that the server certificate is signed by an unrecognized
CA. Again, you
18 matches
Mail list logo