[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Turning off SSL after a hack?

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Turning off SSL after a hack?
Date: Wed, 12 Jul 2006 13:18:37 -0400

On 7/12/06, Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx> wrote:

I have a hard time swallowing that SSL was actually turned off. More
likely the author didn't get the facts straight. But who knows,
stranger things have happened.


It sounds like they disabled outbound SSL traffic.

I saw one security policy that dictated no encryption be used on the
internal side of the DMZ, to make sure that the IDS had a chance to
observe all the traffic.  Encryption was used for external
communications, however.  The risk trade-offs are interesting.

Regards,
Brian

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Turning off SSL after a hack?
  - From: Jeremiah Grossman

Prev by Date: [WEB SECURITY] Turning off SSL after a hack?
Next by Date: RE: [WEB SECURITY] application security consulting
Previous by thread: [WEB SECURITY] Turning off SSL after a hack?
Next by thread: RE: [WEB SECURITY] SQL Injection
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org