Re: SSL VPNs and security

To: "Michal Zalewski" <lcamtuf@xxxxxxxxxxxx>
Subject: Re: SSL VPNs and security
From: "E Mintz" <net4n6@xxxxxxxxx>
Date: Fri, 9 Jun 2006 02:36:19 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hsXVtL3THYMXap5YyGRt+r+0FkyVi3vFeRxHiJgjvFmGijuyYvyaeqaBmcDu6syMlabH6rpBGw0mSYmzZun0ZMK0iATU1bY8NeIsxF/oNsL0uA1s2Lo9odfJSurkqkDDSDsbdBx6kBldH/R8i0dXaPYGpEepXU6EGpHSNuuuJ4Y=
In-reply-to: <Pine.LNX.4.58.0606090830560.32681@dione>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0606072320530.32681@dione> <9b2461300606082317r7f16dafcv3b531e5652747c85@xxxxxxxxxxxxxx> <Pine.LNX.4.58.0606090830560.32681@dione>

I agree on your point that the technology requires PROPER design.

Vendors who miss the basics should lose their right to play the game.

On 6/9/06, Michal Zalewski <lcamtuf@xxxxxxxxxxxx> wrote:

On Fri, 9 Jun 2006, E Mintz wrote:

> How about some real-world, application specific exploits?

There's an example of a XSS that can be used to compromise Cisco Web VPN
session in the text.

> So, please show me an example of an actual compromise and I'll listen.
> Otherwise, put up, or shut up!

You're not strictly required to listen, you know ;)

/mz

References:
- SSL VPNs and security
  - From: Michal Zalewski
- Re: SSL VPNs and security
  - From: Michal Zalewski

Prev by Date: Re: Internet Explorer vulnerbility
Next by Date: Flork.com
Previous by thread: Re: SSL VPNs and security
Next by thread: Re: SSL VPNs and security
Index(es):
- Date
- Thread