-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Michal,
On Thu, Jun 08, 2006 at 10:48:18PM +0200, Michal Zalewski wrote:
[...]
> Commercial SSL VPNs are a fairly recent technology that has a
> considerable appeal to various corporations. Because of its novelty,
> however, in a typical setup
On 8 Jun 2006 at 22:48, Michal Zalewski wrote:
> "Web VPN" or "SSL VPN" is a term used to denote methods for accessing
> company's internal applications with a bare WWW browser, with the use of
> browser-based SSO authentication and SSL tunneling. As opposed to IPSec,
> no additional software or c
Very good information, we use F5 firepass products and I could see the same
issue inherinet in your statements. The benefits to the business, from a cost
perspective, are many, no need for tokens unless you are doing 2-factor auth,
which I encourage as it will check your personal PIN against you
I agree on your point that the technology requires PROPER design.
Vendors who miss the basics should lose their right to play the game.
On 6/9/06, Michal Zalewski <[EMAIL PROTECTED]> wrote:
On Fri, 9 Jun 2006, E Mintz wrote:
> How about some real-world, application specific exploits?
There's
How about some real-world, application specific exploits?
SSL VPN is hardly a 'novelty' or 'recent' technology. I implemented my
first SSL VPN in '99 at a large financial, and it is still in
production, and secure
So, please show me an example of an actual compromise and I'll listen.
Otherwise,
On Fri, 9 Jun 2006, E Mintz wrote:
> How about some real-world, application specific exploits?
There's an example of a XSS that can be used to compromise Cisco Web VPN
session in the text.
> So, please show me an example of an actual compromise and I'll listen.
> Otherwise, put up, or shut up!
