OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew Langton (andrew.langtonbabcockbrown.com)
Date: Fri Jan 04 2002 - 17:34:37 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    One thing I've never had properly explained to me:

    If a hacker was sitting in a web cafe sniffing all the traffic, and captured
    the entire stream of data from the person connecting to the OWA server,
    couldn't they just replay the information to decrypt the data arriving at
    the client? I've been told no, but I haven't found anything/anyone that
    explains why not.

    Surely to negotiate a method of encryption that the client can decrypt,
    information must be passed between the systems that the wiley hx0r d00d can
    use to decrypt or replay the session...(?)

    Cheers
    Andrew

    -----Original Message-----
    From: Jason Brvenik [mailto:jasonbetrusted.com]
    Sent: Friday, January 04, 2002 10:39 AM
    To: focus-mssecurityfocus.com
    Subject: RE: Securing OWA w/SSL on IIS5.0

    SSL only requires the server side certificate to enable full encryption
    of the transported data in any direction. The client cert really only
    adds value by providing Strong authentication / authorization the SSL
    protocol stands on it's own without it.

    It works like this. ( in a very simplified way )
    1) Client connects and requests the ssl session
    2) Client inspects provided credentials for validitity.
    3) Allow / Deny based on trust that is explicit or granted.
    4) A symetric key is negotiated and exchanged using the public/private
    keypair of the server certificate.
    5) all communication is done with the symetric keys.
    6) some time later ( or after a qualifying event ) the keys are
    renegotiated.

    The major thing missing in this is trust. There is no trust that your
    server is your server if the client cannot verify the issuing authority.
    If you allow the SSL even though the client does not have the CA key
    what is to stop the wiley hx0r d00d from creating a CA that looks and
    feels like yours and then impersonating your server / replacing your
    cert and gaining all access anyway?

    If you would like more information please contact me directly at
    jasonbetrusted.com.

    Regards,
    Jason.

    This email message may contain information that is confidential and
    proprietary to Babcock & Brown or a third party. If you are not the
    intended recipient, please contact the sender and destroy the original and
    any copies of the original message. Babcock & Brown takes measures to
    protect the content of its communications. However, Babcock & Brown cannot
    guarantee that email messages will not be intercepted by third parties or
    that email messages will be free of errors or viruses.