Mailing List Archive

Saturday 13 October 2007 Tarihinde 00:20:26 yazmıştı:
> Sometimes when pen-testing you don't want to leak any unencrypted
> data. Is there a Firefox extension that forces all content over HTTPS
> to ensure such security?

You can write a GreaseMonkey [0] script for that, there is even an example for
GMail [1].

[0] https://addons.mozilla.org/en-US/firefox/addon/748
[1] http://userscripts.org/scripts/show/1404

--
Faith is believing what you know isn't so -- Mark Twain

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

I just wanted to clarify that I am looking for an extension that will
rewrite all encountered HTTP references in Firefox to HTTPS. I would
already have a firewall or some other layer7 filtering device blocking
unencrypted traffic. The addon "Better Gmail" does something similar
to this, with the "force HTTPS" option, but not exactly...
--
Kristian Erik Hermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said:
> I just wanted to clarify that I am looking for an extension that will
> rewrite all encountered HTTP references in Firefox to HTTPS. I would
> already have a firewall or some other layer7 filtering device blocking
> unencrypted traffic. The addon "Better Gmail" does something similar
> to this, with the "force HTTPS" option, but not exactly...

What should this hypothetical extension do if it automagically redirects
http: to https:, but the target server is something that is only listening
on port 80 because it doesn't have https: enabled?

https://www.cnn.com just sorta sits there for me.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MAYBE YOU HAVE A SUGGESTION OR SOMETHING CONSTRUCTIVE TO SAY AFTER
ALL THESE YEARS VLADIS OR MAYBE YOU SHOULD SHUT THE FUCK UP!!!

YOU AREN'T SMARTER THAN WE THINK YOU ARE

On Fri, 12 Oct 2007 21:55:37 -0400 Valdis.Kletnieks@vt.edu wrote:
>On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said:
>> I just wanted to clarify that I am looking for an extension that
>will
>> rewrite all encountered HTTP references in Firefox to HTTPS. I
>would
>> already have a firewall or some other layer7 filtering device
>blocking
>> unencrypted traffic. The addon "Better Gmail" does something
>similar
>> to this, with the "force HTTPS" option, but not exactly...
>
>What should this hypothetical extension do if it automagically
>redirect
>http: to https:, but the target server is something that is only
>listening
>on port 80 because it doesn't have https: enabled?
>
>https://www.cnn.com just sorta sits there for me.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcQJ40ACgkQ+dWaEhErNvQjfAQAhvRta2YldG0s+RPwOOYQJhmavq4c
uo/dTsCd3EQy6yQru6oGcmWR7CdCo8EvwoTpB0EwLgVW4z7/lujiayEMECV4zejTNztw
NSabygNoko5I8wh5trmqvoSb4RfPW79qEWLgTosECR1dsCu5FfXuKZhgQwbweWpi09gh
zDPTvGg=
=jxe7
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

what is wrong with his suggestion?

If you look at the situation the following things happen:

[hhoffman@localhost ~]$ host www.cnn.com
www.cnn.com has address 64.236.16.20
www.cnn.com has address 64.236.16.52
www.cnn.com has address 64.236.24.12
www.cnn.com has address 64.236.29.120
www.cnn.com has address 64.236.91.21
www.cnn.com has address 64.236.91.22
www.cnn.com has address 64.236.91.23
www.cnn.com has address 64.236.91.24
Host www.cnn.com not found: 3(NXDOMAIN)


[hhoffman@localhost ~]$ openssl s_client -connect www.cnn.com:443


[root@localhost ~]# tcpdump -i wlan0 -ln tcp port 443 and net '64.236'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
22:02:32.427607 IP 192.168.1.103.35113 > 64.236.24.12.https: S
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102380687
0,nop,wscale 7>
22:02:35.427467 IP 192.168.1.103.35113 > 64.236.24.12.https: S
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102383687
0,nop,wscale 7>
22:02:41.427496 IP 192.168.1.103.35113 > 64.236.24.12.https: S
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102389687
0,nop,wscale 7>
22:02:53.427470 IP 192.168.1.103.35113 > 64.236.24.12.https: S
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102401687
0,nop,wscale 7>
22:03:17.427469 IP 192.168.1.103.35113 > 64.236.24.12.https: S
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102425687
0,nop,wscale 7>
22:04:05.427466 IP 192.168.1.103.35113 > 64.236.24.12.https: S
2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp 102473687
0,nop,wscale 7>
22:05:41.427556 IP 192.168.1.103.47627 > 64.236.29.120.https: S
2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp 102569687
0,nop,wscale 7>
22:05:44.427467 IP 192.168.1.103.47627 > 64.236.29.120.https: S
2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp 102572687
0,nop,wscale 7>
22:05:50.427472 IP 192.168.1.103.47627 > 64.236.29.120.https: S
2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp 102578687
0,nop,wscale 7>
22:06:02.428441 IP 192.168.1.103.47627 > 64.236.29.120.https: S
2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp 102590687
0,nop,wscale 7>


If there are a ton of addresses associated with the hostname record
you'd be sitting there for a long time, no?

It'd be nice if sites sent a unreachable message but some ppl still
believe that blocking all ICMP is ok...

go figure.

Cheers,
Harry


full-disclosure@hushmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> MAYBE YOU HAVE A SUGGESTION OR SOMETHING CONSTRUCTIVE TO SAY AFTER
> ALL THESE YEARS VLADIS OR MAYBE YOU SHOULD SHUT THE FUCK UP!!!
>
> YOU AREN'T SMARTER THAN WE THINK YOU ARE
>
> On Fri, 12 Oct 2007 21:55:37 -0400 Valdis.Kletnieks@vt.edu wrote:
>> On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said:
>>> I just wanted to clarify that I am looking for an extension that
>> will
>>> rewrite all encountered HTTP references in Firefox to HTTPS. I
>> would
>>> already have a firewall or some other layer7 filtering device
>> blocking
>>> unencrypted traffic. The addon "Better Gmail" does something
>> similar
>>> to this, with the "force HTTPS" option, but not exactly...
>> What should this hypothetical extension do if it automagically
>> redirect
>> http: to https:, but the target server is something that is only
>> listening
>> on port 80 because it doesn't have https: enabled?
>>
>> https://www.cnn.com just sorta sits there for me.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Charset: UTF8
> Version: Hush 2.5
>
> wpwEAQECAAYFAkcQJ40ACgkQ+dWaEhErNvQjfAQAhvRta2YldG0s+RPwOOYQJhmavq4c
> uo/dTsCd3EQy6yQru6oGcmWR7CdCo8EvwoTpB0EwLgVW4z7/lujiayEMECV4zejTNztw
> NSabygNoko5I8wh5trmqvoSb4RfPW79qEWLgTosECR1dsCu5FfXuKZhgQwbweWpi09gh
> zDPTvGg=
> =jxe7
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

I don't know about a browser extension, but you might be able to install apache with mod_ssl, mod_proxy, and mod_rewrite locally then basically have it take care of everything.

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: Valdis.Kletnieks@vt.edu

Date: Fri, 12 Oct 2007 21:55:37
To:Kristian Erik Hermansen <kristian.hermansen@gmail.com>
Cc:full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] extension for Firefox to force HTTPS always?


On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said:
> I just wanted to clarify that I am looking for an extension that will
> rewrite all encountered HTTP references in Firefox to HTTPS. I would
> already have a firewall or some other layer7 filtering device blocking
> unencrypted traffic. The addon "Better Gmail" does something similar
> to this, with the "force HTTPS" option, but not exactly...

What should this hypothetical extension do if it automagically redirects
http: to https:, but the target server is something that is only listening
on port 80 because it doesn't have https: enabled?

https://www.cnn.com just sorta sits there for me.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

On Sat, 13 Oct 2007 02:15:39 -0000, gjgowey@tmo.blackberry.net said:

> I don't know about a browser extension, but you might be able to install
> apache with mod_ssl, mod_proxy, and mod_rewrite locally then basically have it
> take care of everything.

Same problem still - you proxy, you rewrite it to port 443 - and the destination
doesn't *have* anything at port 443. What should your Apache do?

My solution wasn't to cure that problem. Only the one the original author was looking for.

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: Valdis.Kletnieks@vt.edu

Date: Fri, 12 Oct 2007 22:45:12
To:gjgowey@tmo.blackberry.net
Cc:full-disclosure-bounces@lists.grok.org.uk, Kristian Erik Hermansen <kristian.hermansen@gmail.com>, full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] extension for Firefox to force HTTPS always?


On Sat, 13 Oct 2007 02:15:39 -0000, gjgowey@tmo.blackberry.net said:

> I don't know about a browser extension, but you might be able to install
> apache with mod_ssl, mod_proxy, and mod_rewrite locally then basically have it
> take care of everything.

Same problem still - you proxy, you rewrite it to port 443 - and the destination
doesn't *have* anything at port 443. What should your Apache do?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

So one example is that you are in a wifi cafe and you want to browse
sites which may be available on both http and https. One example is
when you browse google calendar. By default you will get http even
after logging in over https. It doesn't really matter anyways and I
should just code this up for myself. I was just wondering if
something already existed...that whole code reuse concept...you know
:-/


On 10/12/07, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> wrote:
> On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said:
> > I just wanted to clarify that I am looking for an extension that will
> > rewrite all encountered HTTP references in Firefox to HTTPS. I would
> > already have a firewall or some other layer7 filtering device blocking
> > unencrypted traffic. The addon "Better Gmail" does something similar
> > to this, with the "force HTTPS" option, but not exactly...
>
> What should this hypothetical extension do if it automagically redirects
> http: to https:, but the target server is something that is only listening
> on port 80 because it doesn't have https: enabled?
>
> https://www.cnn.com just sorta sits there for me.
>
>


--
Kristian Erik Hermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

on the google sites; customisegoogle lets you force them into ssl. but
obviously that's not all sites.


On 10/13/07, Kristian Erik Hermansen <kristian.hermansen@gmail.com> wrote:
> So one example is that you are in a wifi cafe and you want to browse
> sites which may be available on both http and https. One example is
> when you browse google calendar. By default you will get http even
> after logging in over https. It doesn't really matter anyways and I
> should just code this up for myself. I was just wondering if
> something already existed...that whole code reuse concept...you know
> :-/
>
>
> On 10/12/07, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> wrote:
> > On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said:
> > > I just wanted to clarify that I am looking for an extension that will
> > > rewrite all encountered HTTP references in Firefox to HTTPS. I would
> > > already have a firewall or some other layer7 filtering device blocking
> > > unencrypted traffic. The addon "Better Gmail" does something similar
> > > to this, with the "force HTTPS" option, but not exactly...
> >
> > What should this hypothetical extension do if it automagically redirects
> > http: to https:, but the target server is something that is only listening
> > on port 80 because it doesn't have https: enabled?
> >
> > https://www.cnn.com just sorta sits there for me.
> >
> >
>
>
> --
> Kristian Erik Hermansen
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


--
mike
http://lets.coozi.com.au/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear 3APAPA,

In the English language, the words criticism and suggestion are not
synonyms. If you could please kindly point out where Vladis makes
a suggestion (anywhere, anytime), or says anything constructive
(anywhere, anytime), or anything remotely clever (anywhere,
anytime) I would greatly appreciate it.

I am however impressed with your use of advanced computer hacking
tools such as host, openssl, and tcpdump in the Linux computer
hacking environment.

I feel your pain on the icmp issue as well. Some people are just
ratfuck bastards.

Cheers!

On Fri, 12 Oct 2007 22:12:08 -0400 Harry Hoffman <hhoffman@ip-
solutions.net> wrote:
>what is wrong with his suggestion?
>
>If you look at the situation the following things happen:
>
>[hhoffman@localhost ~]$ host www.cnn.com
>www.cnn.com has address 64.236.16.20
>www.cnn.com has address 64.236.16.52
>www.cnn.com has address 64.236.24.12
>www.cnn.com has address 64.236.29.120
>www.cnn.com has address 64.236.91.21
>www.cnn.com has address 64.236.91.22
>www.cnn.com has address 64.236.91.23
>www.cnn.com has address 64.236.91.24
>Host www.cnn.com not found: 3(NXDOMAIN)
>
>
>[hhoffman@localhost ~]$ openssl s_client -connect www.cnn.com:443
>
>
>[root@localhost ~]# tcpdump -i wlan0 -ln tcp port 443 and net
>'64.236'
>tcpdump: verbose output suppressed, use -v or -vv for full
>protocol decode
>listening on wlan0, link-type EN10MB (Ethernet), capture size 96
>bytes
>22:02:32.427607 IP 192.168.1.103.35113 > 64.236.24.12.https: S
>2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp
>102380687
>0,nop,wscale 7>
>22:02:35.427467 IP 192.168.1.103.35113 > 64.236.24.12.https: S
>2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp
>102383687
>0,nop,wscale 7>
>22:02:41.427496 IP 192.168.1.103.35113 > 64.236.24.12.https: S
>2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp
>102389687
>0,nop,wscale 7>
>22:02:53.427470 IP 192.168.1.103.35113 > 64.236.24.12.https: S
>2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp
>102401687
>0,nop,wscale 7>
>22:03:17.427469 IP 192.168.1.103.35113 > 64.236.24.12.https: S
>2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp
>102425687
>0,nop,wscale 7>
>22:04:05.427466 IP 192.168.1.103.35113 > 64.236.24.12.https: S
>2923208691:2923208691(0) win 5840 <mss 1460,sackOK,timestamp
>102473687
>0,nop,wscale 7>
>22:05:41.427556 IP 192.168.1.103.47627 > 64.236.29.120.https: S
>2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp
>102569687
>0,nop,wscale 7>
>22:05:44.427467 IP 192.168.1.103.47627 > 64.236.29.120.https: S
>2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp
>102572687
>0,nop,wscale 7>
>22:05:50.427472 IP 192.168.1.103.47627 > 64.236.29.120.https: S
>2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp
>102578687
>0,nop,wscale 7>
>22:06:02.428441 IP 192.168.1.103.47627 > 64.236.29.120.https: S
>2954205762:2954205762(0) win 5840 <mss 1460,sackOK,timestamp
>102590687
>0,nop,wscale 7>
>
>
>If there are a ton of addresses associated with the hostname
>record
>you'd be sitting there for a long time, no?
>
>It'd be nice if sites sent a unreachable message but some ppl
>still
>believe that blocking all ICMP is ok...
>
>go figure.
>
>Cheers,
>Harry
>
>
>full-disclosure@hushmail.com wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> MAYBE YOU HAVE A SUGGESTION OR SOMETHING CONSTRUCTIVE TO SAY
>AFTER
>> ALL THESE YEARS VLADIS OR MAYBE YOU SHOULD SHUT THE FUCK UP!!!
>>
>> YOU AREN'T SMARTER THAN WE THINK YOU ARE
>>
>> On Fri, 12 Oct 2007 21:55:37 -0400 Valdis.Kletnieks@vt.edu
>wrote:
>>> On Fri, 12 Oct 2007 15:06:14 PDT, Kristian Erik Hermansen said:
>>>> I just wanted to clarify that I am looking for an extension
>that
>>> will
>>>> rewrite all encountered HTTP references in Firefox to HTTPS.
>I
>>> would
>>>> already have a firewall or some other layer7 filtering device
>>> blocking
>>>> unencrypted traffic. The addon "Better Gmail" does something
>>> similar
>>>> to this, with the "force HTTPS" option, but not exactly...
>>> What should this hypothetical extension do if it automagically
>>> redirect
>>> http: to https:, but the target server is something that is
>only
>>> listening
>>> on port 80 because it doesn't have https: enabled?
>>>
>>> https://www.cnn.com just sorta sits there for me.
>> -----BEGIN PGP SIGNATURE-----
>> Note: This signature can be verified at
>https://www.hushtools.com/verify
>> Charset: UTF8
>> Version: Hush 2.5
>>
>>
>wpwEAQECAAYFAkcQJ40ACgkQ+dWaEhErNvQjfAQAhvRta2YldG0s+RPwOOYQJhmavq4
>c
>>
>uo/dTsCd3EQy6yQru6oGcmWR7CdCo8EvwoTpB0EwLgVW4z7/lujiayEMECV4zejTNzt
>w
>>
>NSabygNoko5I8wh5trmqvoSb4RfPW79qEWLgTosECR1dsCu5FfXuKZhgQwbweWpi09g
>h
>> zDPTvGg=
>> =jxe7
>> -----END PGP SIGNATURE-----
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcQ1S8ACgkQ+dWaEhErNvTKWQP9FkS3CGP5+EN4cTf8WUbmbJfbJ4cP
ZfizqYMy71CpaBYa/Nrwb8k4rGuuy6A3dOOErMTFrei9y7nj8NJCTAc7xjgQQnsibq2u
WlC4FqPqciFs614cbQskiX6za88UGz6SktWGMz8N29UD4Y02SDHwbalER153pGfGCey8
wTOFQaI=
=mH+r
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No idea you got an idea big guy?

No? Shut the fuck up.

On Fri, 12 Oct 2007 22:45:12 -0400 Valdis.Kletnieks@vt.edu wrote:
>On Sat, 13 Oct 2007 02:15:39 -0000, gjgowey@tmo.blackberry.net
>said:
>
>> I don't know about a browser extension, but you might be able to
>install
>> apache with mod_ssl, mod_proxy, and mod_rewrite locally then
>basically have it
>> take care of everything.
>
>Same problem still - you proxy, you rewrite it to port 443 - and
>the destination
>doesn't *have* anything at port 443. What should your Apache do?
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcQ1WoACgkQ+dWaEhErNvRtLgP/SEeA7WlCAvTeb86o3odJ3ZLOaOjx
5rzpTkck+bePAaWjaNQ/r1f4iRrwYRZ7IvwZcgNUhasurDrZNtcxJCOoEws+/peVgB+N
XLRvMFFN/eHOTptpTtRv6KUbzy2T5dStwIzlhJWULqcYxDrLaYz45sSAQcmWIFiH7drG
cbff8mI=
=lWu2
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

On Sat, 13 Oct 2007 10:25:46 EDT, full-disclosure@hushmail.com said:

> No idea you got an idea big guy?

No, merely pointing out a under-specification of the problem. There's any
number of ways that it *could* be set up - the question is what the *desired*
behavior is. Blindly rewriting everything to https: is *doable*, but results
in some ugly corner cases. Now, Kristian's *original* request was "you don't
want to leak unencrypted data". The reasonable response is - is it OK to leak
unencrypted, *unimportant* data (such as hitting www.cnn.com to check the news
while you take a short break)? In fact, a *clever* pen tester may in fact
*want* to have at least *some* innocuous port 80 traffic, just so they don't
stand out because they're *only* doing port 443 traffic....

(And the *really* sneaky pen tester will maintain a pseudo-random stream of
hits to CNN and google and the like, and tunnel their *important* data out via
SSL to some site with a pr0n-for-pay-ish name like www.llamas-r-hot.com,
because you *expect* to see that sort of traffic distrbution... ;)

So while "do everything over SSL" may sound like a good first cut (and in fact
*is* a good start), the overall question is "what data do you want to conceal,
and from whom, exactly?"

> On Fri, 12 Oct 2007 22:45:12 -0400 Valdis.Kletnieks@vt.edu wrote:
> >Same problem still - you proxy, you rewrite it to port 443 - and
> >the destination
> >doesn't *have* anything at port 443. What should your Apache do?

And anybody who has been doing security for more than a week or so *knows* that
failure to deal with corner cases like "but there's nothing *listening* on
port 443" is a *major* source of bugs and places to find your 0-days.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*wow* you win an *award* for most *stars* used in an *email* to
demonstrate your *mental* *superiority* and the *dude* was not even
talking about pentesting he was talking about *browsing teh
interweb* at net cafes.

*you* could have asked for *clarifications* on what he was trying
to *accomplish* and instead you chose to *try* becoming a
*trendsetter* by using lots of *** in your *email* and still
managed to be *completely* offtopic *and* continue to be *useless*.
*at least* *gobbles* wants in your pants.

http://lists.grok.org.uk/pipermail/full-disclosure/2007-
October/066616.html



On Sat, 13 Oct 2007 11:14:26 -0400 Valdis.Kletnieks@vt.edu wrote:
>On Sat, 13 Oct 2007 10:25:46 EDT, full-disclosure@hushmail.com
>said:
>
>> No idea you got an idea big guy?
>
>No, merely pointing out a under-specification of the problem.
>There's any
>number of ways that it *could* be set up - the question is what
>the *desired*
>behavior is. Blindly rewriting everything to https: is *doable*,
>but results
>in some ugly corner cases. Now, Kristian's *original* request was
>"you don't
>want to leak unencrypted data". The reasonable response is - is
>it OK to leak
>unencrypted, *unimportant* data (such as hitting www.cnn.com to
>check the news
>while you take a short break)? In fact, a *clever* pen tester may
>in fact
>*want* to have at least *some* innocuous port 80 traffic, just so
>they don't
>stand out because they're *only* doing port 443 traffic....
>
>(And the *really* sneaky pen tester will maintain a pseudo-random
>stream of
>hits to CNN and google and the like, and tunnel their *important*
>data out via
>SSL to some site with a pr0n-for-pay-ish name like www.llamas-r-
>hot.com,
>because you *expect* to see that sort of traffic distrbution... ;)
>
>So while "do everything over SSL" may sound like a good first cut
>(and in fact
>*is* a good start), the overall question is "what data do you want
>to conceal,
>and from whom, exactly?"
>
>> On Fri, 12 Oct 2007 22:45:12 -0400 Valdis.Kletnieks@vt.edu
>wrote:
>> >Same problem still - you proxy, you rewrite it to port 443 -
>and
>> >the destination
>> >doesn't *have* anything at port 443. What should your Apache
>do?
>
>And anybody who has been doing security for more than a week or so
>*knows* that
>failure to deal with corner cases like "but there's nothing
>*listening* on
>port 443" is a *major* source of bugs and places to find your 0-
>days.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcRCGEACgkQ+dWaEhErNvTnRwP/XmLeKQ5ZrkbI8ih1BUvYS67JOuf9
t7CugsT7xZA1VbIvhs5YKiGnzp7SS2upqE1IzuoAMeVk6ZpqghMvZDol5+SCANrMaJCW
cI66ybV7j5TtUTc1ESb1Hn85cHS0/A5epZ9qi9TxExyFQtKKRgSOlRy5y7QIB9xTIhS7
BMlQD0A=
=oOP6
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

> demonstrate your *mental* *superiority* and the *dude* was not even
> talking about pentesting he was talking about *browsing teh
> interweb* at net cafes.

look at the first mail of this thread and accept that you are wrong.

But I realize that I'm expecting too much...

*PLONK*

--
Hail Eris! Hail Discordia!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*you* *forgot* *about* *the* *greatest* *german* *of* *all* *time*
*hail* *this* *dude*

*
http://www.thereef.ws/members/Mental_Ward_Rehab/graphics/modsride.gi
f *

>--
>Hail Eris! Hail Discordia!
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkcRHgMACgkQ+dWaEhErNvSFUQP/fMAI43jiTRkwXAkOrOCW7FC34bkK
7sgvjo3gBFtrWMy1WjfVr+UdrJZC/4yur/9gA7CaZYrd2VcS9zrb6wH/xQZ7krc6tZlR
S0pZ9+mkBZuS2u2hYSnR4ww+WmGVDxQwZF+7B9xzy2CzvVYyS0jtYp8nF2lXjyZLju2U
/CTVzvA=
=htMU
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

On Fri, Oct 12, 2007 at 6:55 PM, <Valdis.Kletnieks@vt.edu> wrote:
> What should this hypothetical extension do if it automagically redirects
> http: to https:, but the target server is something that is only listening
> on port 80 because it doesn't have https: enabled?
>
> https://www.cnn.com just sorta sits there for me.

Hello from the future! This "hypothetical extension" would handle such
cases...and will eventually be called HTTPS Everywhere :) [1] Keep an
eye out for it in a few years...

[1] https://www.eff.org/https-everywhere
--
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/