RE: [WEB SECURITY] username & pw in clear-text through SSL considered safe?

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> what did you mean for "KEYS ALREADY OBTAINED"???
> I cannot imagine what you're thinking.

To use a sniffer to peel off the SSL and get as the squishy gubbins
within, you need the keys (however obtained).  Or do you have another
method of getting inside SSL using a sniffer?  

> Anyway about the fake trust hierarchy I think 
> all of us, security people, know that the 
> "human factor" has always been the most exploitable
> you don't need any fake hierarchy, just a fake 
> certificate made with Dug's webmitm.

This isn't a problem with SSL, it is a problem with browser
configuration and user education.  Tick the box that says don't accept
mismatched certificates.

Martin...


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA