Figured out the problem: Internet Explorer. I should have guessed.
In IE's security settings, the default for the Internet zone has the setting
"Don't prompt for client certificate when no certificates or only one
certificate exists" set to "Disabled". However, the default for the Local
intranet z
Indeed, I had planned on clamming up after that last post.
- Robert
On Wed, 2007-10-03 at 22:17 -0400, Victor Duchovni wrote:
> On Wed, Oct 03, 2007 at 07:57:41PM -0400, Robert Butler wrote:
>
> > That isn't man-in-the-middle- that's simple spoofing.
> >
>
> I would like to humbly suggest th
On Wed, Oct 03, 2007 at 07:57:41PM -0400, Robert Butler wrote:
> That isn't man-in-the-middle- that's simple spoofing.
>
I would like to humbly suggest that this thread end... Phishing attacks
can be discussed on other lists.
--
Viktor.
That isn't man-in-the-middle- that's simple spoofing.
And, I never said spoofing wasn't doable. I stated that getting
in-between a user and their SSL server depends on the strength of that
remote server's SSL cert, or catching the client and server when they're
about to start the exchange of temp
On Wed, Oct 03, 2007 at 05:04:52PM -0600, [EMAIL PROTECTED] wrote:
> These financial instutions have a major major problem. Then they
> recomend to people to use insecure systems. I expect within a few few
> years we are going to see some MAJOR hiests!
I think you mean a few years ago, but this
Right. With server auth you elimate the weakenss I was thinking about a few
years back. As was pointed out I didn't check for html.
On Wed, Oct 03, 2007 at 03:55:21PM -0700, Michael Sierchio wrote:
> [EMAIL PROTECTED] wrote:
> > I'd like to ask the group about a possible man in the middle att
Thank you very much!
I never realised there was even an html attachment! I use mutt and never
looked for it. Of course I know why I use mutt and this is one of the reasons
why.
Since I never looked at the html I never saw the bogus address. How cute eh!
These financial instutions have a maj
[EMAIL PROTECTED] wrote:
I'd like to ask the group about a possible man in the middle attack over https.
What you've described (though see Viktor's post about what you didn't
really include in your message) is not MITM -- it's just a fake URL
scheme. SSL v3.0 and TLS with server auth are not
That's right-
nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS,
since everything is encrypted using TLS or SSL.
If you get extremely lucky and catch the browser at the wrong moment,
you can sniff the server key and browser key,
but apart from that, it really depends on the stren
On 10/3/07, David Schwartz <[EMAIL PROTECTED]> wrote:
>
>
> > I need a way to hide the public key in the binary...
>
> You can't ask in public for a good hiding place.
>
> Note that your question has *nothing* to do with OpenSSL or even public
> key
> encryption for that matter. Your question is ba
> I need a way to hide the public key in the binary...
You can't ask in public for a good hiding place.
Note that your question has *nothing* to do with OpenSSL or even public key
encryption for that matter. Your question is basically "how do I make a
tamperproof executable".
DS
_
On Wed, Oct 03, 2007 at 11:21:46AM -0600, [EMAIL PROTECTED] wrote:
> Here is the URL they direct the victim too:
>
> https://us.etrade.com/login/challange/2b593cba/logon.htm
>
This is not the actual booby-trapped URL that users who click on the
phishing links would use. You are not looking at t
Thanks for your comments.
I do not think it has anything to do with a DN hostname mismatch. It is true
that your browser will give you warning if the CN in the SSL server
certificate does not match the hostname you are requesting, but this doesn't
affect whether you are prompted for a client certi
Hello,
> I am trying to debug a problem with the browser prompting for a client
> certificate, and I used the following to see the details of the SSL
> negotiation:
>
> # openssl s_client -connect hostname:port -msg
>
> I am testing 2 different scenarios and get basically the same output
> for
The switch and load balancer do not have their own SSL server certificate.
In the browser, when I view the certificate, I can see that I am getting the
SSL certificate from the back-end server "myserver".
The switch and load balancer SHOULD be configured such that the SSL session
terminates at the
On Wed, Oct 03, 2007 at 11:11:26AM -0500, Md Lazreg wrote:
> > What problem does preventing the user from fielding a modified application
> > solve?
>
>
> It solves the problem of preventing the user from running my application in
> a mode they did not pay for.
If your target is PC software, th
Hello,
> If your users are not technically sophisticated, and the application is
> aimed at paying business customers and not the general public, it is
> enough to compile the key into the application. Businesses don't like
> being caught stealing.
>
> If or users are the general public and/or the
On Wed, 3 Oct 2007, Md Lazreg wrote:
On 10/3/07, Victor Duchovni <[EMAIL PROTECTED]> wrote:
On Wed, Oct 03, 2007 at 10:42:59AM -0500, Md Lazreg wrote:
Private keys do encrypt using the function :
http://www.openssl.org/docs/crypto/RSA_private_encrypt.html
Of course they do, but when a priv
I am trying to debug a problem with the browser prompting for a client
certificate, and I used the following to see the details of the SSL
negotiation:
# openssl s_client -connect *hostname:port* -msg
I am testing 2 different scenarios and get basically the same output for
both except that the fi
On Wed, Oct 03, 2007 at 11:11:26AM -0500, Md Lazreg wrote:
> On 10/3/07, Victor Duchovni <[EMAIL PROTECTED]> wrote:
> >
> > On Wed, Oct 03, 2007 at 10:57:39AM -0500, Md Lazreg wrote:
> > Is this DRM? DRM is not possible without
> > trusted hardware, and even then is difficult.
>
>
> Yes it is DR
On 10/3/07, Victor Duchovni <[EMAIL PROTECTED]> wrote:
>
> On Wed, Oct 03, 2007 at 10:57:39AM -0500, Md Lazreg wrote:
> Is this DRM? DRM is not possible without
> trusted hardware, and even then is difficult.
Yes it is DRM in a way. I know it is not possible to have a 100% protection
using only
On Wed, Oct 03, 2007 at 10:57:39AM -0500, Md Lazreg wrote:
> > If you are signing, your model is fine, and embedding the public key in
> > the binary is exactly the right thing to do. If you are encrypting,
> > use a symmetric algorithm, the public key algorithm is just confusing
> > you.
>
> Yes
On 10/3/07, Victor Duchovni <[EMAIL PROTECTED]> wrote:
>
> On Wed, Oct 03, 2007 at 10:42:59AM -0500, Md Lazreg wrote:
>
> > Private keys do encrypt using the function :
> > http://www.openssl.org/docs/crypto/RSA_private_encrypt.html
>
> Of course they do, but when a private key encrypts, it is
> ca
On Wed, Oct 03, 2007 at 10:42:59AM -0500, Md Lazreg wrote:
> Private keys do encrypt using the function :
> http://www.openssl.org/docs/crypto/RSA_private_encrypt.html
Of course they do, but when a private key encrypts, it is
called "signing", because the public key is presumed to be (drum
roll..
On 10/3/07, Victor Duchovni <[EMAIL PROTECTED]> wrote:
>
> On Wed, Oct 03, 2007 at 10:04:26AM -0500, Md Lazreg wrote:
>
> > I am encrypting a file using a private key, and my program is decrypting
> it
> > using the public key compiled in the binary.
>
> Private keys don't "encrypt" they sign. The
Hello,
> I modified my code to add the following two lines after initializing
> the ssl library with SSL_library_init():
> ---
> RAND_write_file("prngseed.dat");
> RAND_load_file("prngseed.dat", -1);
> ---
> And this solved the problem on HPUX.
This is not good solution.
You should install
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Piotr Skwarna schrieb:
> Hi
>
> i try complie apache with my openssl
>
> ./configure --prefix=/usr/unizeto/apache22 --enable-proxy --enable-ssl
> --with-ssl=/opt/NEW/openssl/
>
> [...]
> checking for OpenSSL version... checking openssl/opensslv.h us
In message <[EMAIL PROTECTED]> on Wed, 3 Oct 2007 10:04:26 -0500, "Md Lazreg"
<[EMAIL PROTECTED]> said:
mdlazreg> I am encrypting a file using a private key, and my program
mdlazreg> is decrypting it using the public key compiled in the
mdlazreg> binary.
If it isn't an automatic process of some
On Wed, Oct 03, 2007 at 10:04:26AM -0500, Md Lazreg wrote:
> I am encrypting a file using a private key, and my program is decrypting it
> using the public key compiled in the binary.
Private keys don't "encrypt" they sign. The public key *verifies*.
If you want to encrypt, you use the "public" k
Don't save it in the binary?
Regards,
Daniel Clusin
EnerNOC, Inc.
(617)5328154
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Md Lazreg
Sent: Wednesday, October 03, 2007 11:04 AM
To: openssl-users@openssl.org
Subject: public key in the binar
Hi,
I am encrypting a file using a private key, and my program is decrypting it
using the public key compiled in the binary.
The question is how to protect my public key against binary analysis within
the binary? I do not want someone to replace it with their own public key
and hence encrypting m
Hello everyone,
I modified my code to add the following two lines after initializing the ssl
library with SSL_library_init():
---
RAND_write_file("prngseed.dat");
RAND_load_file("prngseed.dat", -1);
---
And this solved the problem on HPUX.
Now I am facing the same connectivity problem on
On Wed, Oct 03, 2007 at 11:47:33AM +0530, Subramaniam wrote:
> I am using a self signed certificate as a CA certificate.
Post the CA certificate to the list.
> My entity certificate is signed by this self signed CA. in my test programs
Post the entity certificate to the list.
> But another pro
2007/10/3, Piotr <[EMAIL PROTECTED]>:
>
>
> > checking openssl/engine.h usability... yes
> > checking openssl/engine.h presence... yes
> > checking for openssl/engine.h... yes
> > checking for SSLeay_version in -lcrypto... no
> > checking for SSL_CTX_new in -lssl... no
> > checking for ENGINE_init.
checking openssl/engine.h usability... yes
checking openssl/engine.h presence... yes
checking for openssl/engine.h... yes
checking for SSLeay_version in -lcrypto... no
checking for SSL_CTX_new in -lssl... no
checking for ENGINE_init... no
checking for ENGINE_load_builtin_engines... no
checking f
Hi
i try complie apache with my openssl
./configure --prefix=/usr/unizeto/apache22 --enable-proxy --enable-ssl
--with-ssl=/opt/NEW/openssl/
[...]
checking for OpenSSL version... checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for openssl/opensslv
36 matches
Mail list logo