Secure connections: how secure are they?

*QUOTE*

......... both useful and malicious information can be transmitted via network
connections. Standard solutions protect computers against threats present in
standard network connections, but aren't able to counter threats present in
secure connections. Verifying the contents of a secure connection is
impossible by virtue of its secure nature, as demonstrated by the different
types of protection listed above. As a result, malicious data within secure
channels can cause a significant amount of damage, and sometimes more than if
it were to be transmitted via a standard, non-secure connection.

The fact that it's easy to encrypt a network channel and the fact that in most
cases there will be no verification of who created the file results in a
contradictory situation: a "secure connection" to a server provides the user
with a feeling of security, but does not guarantee that the connection will be
free from malicious data.

http://www.viruslist.com/en/analysis?pubid=204791929

*UNQUOTE*

Alan



0
alan
3/17/2007 5:57:20 AM
grc.security 16608 articles. 1 followers. Follow

7 Replies
778 Views

Similar Articles

[PageSpeed] 55

On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote:

> a "secure connection"
This is nothing more than a misleading phraze.
The HTTPS connection should be called "the encrypted [and authenticated]  
connection".
It is just that - an encrypted but not any securier than the non-encrypted.

Somebody (an illiterate journalist, as usual) has invented this phraze and  
unfortunatelly it became widely [mis]used...

Tony.

-- 
Properly read, the bible is the most potent force for atheism ever  
conceived.
0
Anthony
3/17/2007 10:29:46 AM
On Sat, 17 Mar 2007 in grc.security, Anthony OZ wrote
>On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote:
>
>> a "secure connection"
>This is nothing more than a misleading phraze.
>The HTTPS connection should be called "the encrypted [and 
>authenticated]  connection".
>It is just that - an encrypted but not any securier than the non-encrypted.
>
>Somebody (an illiterate journalist, as usual) has invented this phraze 
>and  unfortunatelly it became widely [mis]used...

And IIRC it's relatively easy for a network admin to set up an 
undetectable Man In The Middle attack that would let them see all the 
traffic unencrypted even though it was encrypted at both ends.
-- 
GRC Newsgroups/Guidelines/No Regrets:
http://www.imilly.com/noregrets.htm
 From invalid, Reply To works.
Kevin A.
0
Kevin
3/17/2007 10:45:13 AM
On Sat, 17 Mar 2007 13:45:13 +0300, Kevin A. <svwdun902@sneakemail.com>  
wrote:

> ...it's relatively easy for a network admin to set up an undetectable  
> Man In The Middle attack that would let them see all the traffic  
> unencrypted even though it was encrypted at both ends.
You should have started it with: "Provided an admin has the control over a  
client's machine and a client is dumb enough...".

With a decent browser|e-mail it is not that easy for a malicious admin  
(I'm not talking about root-kits totally subverting what a user sees via a  
GUI.).

Unlike IEv7 (where I could not find a way to see the selected cipher and  
the key length for a given HTTPS session) Opera gives you the complete  
info about all the details involved in the protecting of your current  
HTTPS connection.

Tony.

-- 
Properly read, the bible is the most potent force for atheism ever  
conceived.
0
Anthony
3/17/2007 11:10:34 AM
On Sat, 17 Mar 2007 13:29:46 +0300, Anthony OZ sent:

> This is nothing more than a misleading phraze. The HTTPS connection
> should be called "the encrypted [and authenticated] connection". It is
> just that - an encrypted but not any securier than the non-encrypted.

I would disagree.  My kept-private conversation with someone *is* secure.
Certainly in compared to having an open conversation where others can hear
what we're saying.

Of course there's no guarantees about what use might be made of the
information, afterwards.

> Somebody (an illiterate journalist, as usual) has invented this phraze and
> unfortunatelly it became widely [mis]used...

More likely whoever came up with "HTTPS" (Hyper Text Transfer Protocol
Secured).  Which is different than "S-HTTP" (Secure Hyper Text Transfer
Protocol).  A journo didn't name it HTTPS.


-- 

This message was sent without a virus, please destroy some files yourself.

0
Tim
3/18/2007 5:50:22 AM
Kevin A. wrote:
> On Sat, 17 Mar 2007 in grc.security, Anthony OZ wrote
>>On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote:
>>
>>> a "secure connection"
>>This is nothing more than a misleading phraze.
>>The HTTPS connection should be called "the encrypted [and
>>authenticated]  connection".
>>It is just that - an encrypted but not any securier than the
>>non-encrypted.
>>
>>Somebody (an illiterate journalist, as usual) has invented this phraze
>>and  unfortunatelly it became widely [mis]used...
> 
> And IIRC it's relatively easy for a network admin to set up an
> undetectable Man In The Middle attack that would let them see all the
> traffic unencrypted even though it was encrypted at both ends.

FWIW, the admin would have to be more than just the "network" admin. They
would also have to be the local system administrator (or the Domain
administrator, in a thinish-client setup) in order to install locally
controlled root keys at the local endpoints.

Regards,
Sam
0
Sam
3/18/2007 6:00:29 AM
On Sun, 18 Mar 2007 08:50:22 +0300, Tim <tim@mail.localhost.invalid> wrote:

> I would disagree.  My kept-private conversation with someone *is* secure.
Something "secured" is "secure", your private conversation is just  
"private".

For me - "security" is "absence of threats and dangers".
The "privacy" in itself does NOT prevent the second party from causing you  
all sorts of troubles.

Tony.

-- 
Properly read, the bible is the most potent force for atheism ever  
conceived.
0
Anthony
3/18/2007 11:51:15 AM
Anthony OZ wrote:
> On Sun, 18 Mar 2007 08:50:22 +0300, Tim <tim@mail.localhost.invalid> wrote:
> 
>> I would disagree.  My kept-private conversation with someone *is* secure.
> Something "secured" is "secure", your private conversation is just 
> "private".
> 
> For me - "security" is "absence of threats and dangers".

So nothing ever will be secure. What have we done to be condemned to 
existence on an imperfect world?

> The "privacy" in itself does NOT prevent the second party from causing 
> you all sorts of troubles.

As long as wet-ware is involved troubles are always lurking on the horizon.

"Privacy" is the closest we can come to "safety" so it is not a bad goal 
  even if it doesn't mean complete security.

> 
> Tony.
> 
> --Properly read, the bible is the most potent force for atheism ever 
> conceived.
0
Dave
3/18/2007 9:27:06 PM
Reply:

Similar Artilces:

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

Security
This is a multi-part message in MIME format. --------------080100010401000103080002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I'm a Mac user 10.4.8 of Thunderbird 1.5.0.7 & am wondering how "Enabling FIPS" will improve my security? I can't seem to find any explanation of FIPS under Thunderbird help. -- Have a good day R Schwager --------------080100010401000103080002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Tr...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

Secure By Design: How Guardian Digital Secures EnGarde Secure Linux
"EnGarde Secure Linux is not just another "repackaged" Linux distribution, but a modern open source system built from the ground up to provide secure services in the threatening world of the modern Internet."... http://www.linuxsecurity.com/content/view/125195/171/ ...."The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are freely available with GDSN registration."... http://www.engardelinux.org/modules/index/index.cgi -- js ...

Part 1A: Securing an even more secure connection ...
Gang, After thinking about the dialog with John and Dave yesterday, I have an much improved design. Dave's observation that the first scheme I had was "Not Forward Secure" was the main catalyst. "Not Forward Secure" means that a government agency could record traffic, then legally force GRC to divulge the GRC VoIP private key -- then decode ANY of the previous interchanges recorded in the past. This improved approach not only adds full forward security, it even eliminates one of the three interchange packets, dropping the handshake to just two packet...

UserApp redirect non-secure to secure connections
Hi, I have seen various posts on the forum for my problem... I have tried all... But no success :( my problem is the redirect to SSL only (8081 & 8444 in my case since iManager has taken 8080 & 8443) - 8444 is working if you specify it in the URL (so SSL is enabled) - I have changed all instances of 8443 to 8444 in the server.xml file, even the HTTP redirect - I have changed the web.xml file in the .WAR file as specified, I have just moved the description node a few places up, else one would get an error complaining about the "description" node - when I n...

Netstorage Secure then UN-Secure
Have a problem with Netstorage: I log in under the secure website of https://ipaddress:51443/oneNet/NetStorage and then after drilling down to folder, the secure web site changes to http://ipaddress:51443/oneNet/NetStorage/Documents. Why??? does it go to the unsecure site? Claudia, It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply. Has your problem been resolved? If not, you might try one of the following options: - Do a search of our knowledgebase at http://support.novell.com...

Secure page to Secure page
Name: Jonathan Email: jbeldonatopenwaterloansdotcom Product: Firefox Release Candidate Summary: Secure page to Secure page Comments: I have had several crashes going from a secure page to another secure page. The response I often get is that the page does not exist. This only seems to occur on secure pages. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b4) Gecko/2008030714 Firefox/3.0b4 From URL: http://hendrix.mozilla.org/ ...

java.security.Security issue
Hi, EAServer 4.2 build 42012 on NT (jdk13). This code works as a Java clientapp but not when the code is inside an EJB in EAServer? Can we register Security provider dynamically? // system var. System.setProperty("javax.net.ssl.keyStore", "<val>"); System.setProperty("javax.net.ssl.keyStorePassword", "<val>"); System.setProperty("javax.net.ssl.trustStore", "<val>"); System.setPropert("javax.net.ssl.trustStorePassword","<val>"); System.setProperty("javax.net.debug", &...

Web resources about - Secure connections: how secure are they? - grc.security

Resources last updated: 12/26/2015 10:17:02 PM