Re: One for the Security Guru's - Henning Schmiedehausen

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Henning Schmiedehausen <hps@intermeta.de>
To: Danny Lepage <danny.lepage.bur@enter-net.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: One for the Security Guru's
Date: 25 Oct 2002 11:40:45 +0200	[thread overview]
Message-ID: <1035538846.23976.19.camel@forge> (raw)
In-Reply-To: <1035496935.19917.106.camel@phantom.enter-net.com>

On Fri, 2002-10-25 at 00:02, Danny Lepage wrote:
> Gee, isn't this a kind of "man in the middle" security breach ?!?! Most
> of the people on the net, including me, expect that nobody and I mean
> nobody is sitting between my browser and the web server, seeing
> unencrypted packets when we use SSL.

If you don't control the network between the Accelerator and your
webserver, you're toast anyway.

> And now your telling me that the SSL Accelerator Box and the IDS is
> seeing in clear text the traffic I thought only the web server was
> seeing ?!?! And presumably, the IDS is logging somewhere all the credit
> card info that I might be sending...

So what? How many "secure ecommerce sites" just put the information that
you sent over the secure channel into a database accessible by a tcp
port? or simply print it out? Send it via unencrypted mail to their
sales department (presumable to foobar-marketing@aol.com. Yes, I've
already seen that.). HTTPS is just a gurantee, that your data isn't
sniffed between your web browser and the device you're talking to. Once
the data hits the web server, there is nothing that HTTPS can do or you
can rely on.

> Mind you, I guess nothing prevented somebody to do something behind the
> Webserver to do some wicked thing but now, your telling me that they are
> devices, on the open market, specially design to do this!

Of course. Once you hit more than a few https transfers, you can either
burn your cpu cycles for doing crypto or simply use a device. 

	Regards
		Henning

-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20

next prev parent reply	other threads:[~2002-10-25  9:34 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-23 13:02 One for the Security Guru's Robert L. Harris
2002-10-23 13:13 ` John Jasen
2002-10-23 13:20 ` Keith Owens
2002-10-24  7:56   ` Greg KH
2002-10-23 13:45 ` Alan Cox
2002-10-23 13:59   ` Gilad Ben-ossef
2002-10-23 22:14     ` James Cleverdon
2002-10-23 22:17       ` James Stevenson
2002-10-23 22:39         ` James Cleverdon
2002-10-23 22:44           ` James Stevenson
2002-10-24  6:12         ` Gilad Ben-Yossef
2002-11-06 21:39       ` Florian Weimer
2002-10-23 14:57 ` Richard B. Johnson
2002-10-23 17:56   ` Gerhard Mack
2002-10-24  9:38     ` Henning P. Schmiedehausen
     [not found]       ` <ap8f36$8ge$1@dstl.gov.uk>
2002-10-24 10:01         ` Tony Gale
2002-10-24 16:13           ` Gerhard Mack
2002-10-24 16:39             ` Henning P. Schmiedehausen
2002-10-24 16:34               ` David Lang
2002-10-24 17:04               ` Gilad Ben-Yossef
2002-10-25  9:44                 ` Henning Schmiedehausen
2002-10-25 20:52                   ` H. Peter Anvin
2002-10-26 10:43                     ` Henning P. Schmiedehausen
2002-10-27 10:17                       ` Rogier Wolff
2002-10-28  7:47                       ` Chris Wedgwood
2002-10-24 22:02               ` Danny Lepage
2002-10-25  9:40                 ` Henning Schmiedehausen [this message]
2002-10-24 14:23       ` Gilad Ben-ossef
2002-10-25  4:09       ` Stephen Satchell
2002-10-25 13:47         ` Stephen Frost
2002-10-26 10:38           ` Rogier Wolff
2002-10-26  9:44       ` Rogier Wolff
2002-10-26 10:46         ` Henning P. Schmiedehausen
2002-10-23 16:23 ` Henning P. Schmiedehausen
2002-10-23 17:55   ` David Lang
2002-10-23 19:46     ` H. Peter Anvin
2002-10-23 22:15 ` James Stevenson
2002-10-24  9:47   ` Henning P. Schmiedehausen
2002-10-25 12:28     ` Daniel Egger
2002-10-25 15:22       ` Alex Riesen
2002-10-25 16:38       ` Stephen Satchell
2002-10-25 18:21       ` [OT] " J Sloan
2002-10-26 10:40     ` OT " Rogier Wolff
2002-10-24 10:11   ` Ville Herva
2002-10-24 11:09     ` Henning P. Schmiedehausen
2002-10-24 11:55       ` Alan Cox
2002-10-24 14:40         ` Henning P. Schmiedehausen
2002-10-24 15:36           ` Alan Cox
2002-10-24 16:46     ` Eric W. Biederman
2002-10-24  6:04 ` David Wagner
  -- strict thread matches above, loose matches on Subject: below --
2002-10-23 21:49 Hank Leininger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1035538846.23976.19.camel@forge \
    --to=hps@intermeta.de \
    --cc=danny.lepage.bur@enter-net.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).