*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-secure connection. The fact that it's easy to encrypt a network channel and the fact that in most cases there will be no verification of who created the file results in a contradictory situation: a "secure connection" to a server provides the user with a feeling of security, but does not guarantee that the connection will be free from malicious data. http://www.viruslist.com/en/analysis?pubid=204791929 *UNQUOTE* Alan
![]() |
0 |
![]() |
On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote: > a "secure connection" This is nothing more than a misleading phraze. The HTTPS connection should be called "the encrypted [and authenticated] connection". It is just that - an encrypted but not any securier than the non-encrypted. Somebody (an illiterate journalist, as usual) has invented this phraze and unfortunatelly it became widely [mis]used... Tony. -- Properly read, the bible is the most potent force for atheism ever conceived.
![]() |
0 |
![]() |
On Sat, 17 Mar 2007 in grc.security, Anthony OZ wrote >On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote: > >> a "secure connection" >This is nothing more than a misleading phraze. >The HTTPS connection should be called "the encrypted [and >authenticated] connection". >It is just that - an encrypted but not any securier than the non-encrypted. > >Somebody (an illiterate journalist, as usual) has invented this phraze >and unfortunatelly it became widely [mis]used... And IIRC it's relatively easy for a network admin to set up an undetectable Man In The Middle attack that would let them see all the traffic unencrypted even though it was encrypted at both ends. -- GRC Newsgroups/Guidelines/No Regrets: http://www.imilly.com/noregrets.htm From invalid, Reply To works. Kevin A.
![]() |
0 |
![]() |
On Sat, 17 Mar 2007 13:45:13 +0300, Kevin A. <svwdun902@sneakemail.com> wrote: > ...it's relatively easy for a network admin to set up an undetectable > Man In The Middle attack that would let them see all the traffic > unencrypted even though it was encrypted at both ends. You should have started it with: "Provided an admin has the control over a client's machine and a client is dumb enough...". With a decent browser|e-mail it is not that easy for a malicious admin (I'm not talking about root-kits totally subverting what a user sees via a GUI.). Unlike IEv7 (where I could not find a way to see the selected cipher and the key length for a given HTTPS session) Opera gives you the complete info about all the details involved in the protecting of your current HTTPS connection. Tony. -- Properly read, the bible is the most potent force for atheism ever conceived.
![]() |
0 |
![]() |
On Sat, 17 Mar 2007 13:29:46 +0300, Anthony OZ sent: > This is nothing more than a misleading phraze. The HTTPS connection > should be called "the encrypted [and authenticated] connection". It is > just that - an encrypted but not any securier than the non-encrypted. I would disagree. My kept-private conversation with someone *is* secure. Certainly in compared to having an open conversation where others can hear what we're saying. Of course there's no guarantees about what use might be made of the information, afterwards. > Somebody (an illiterate journalist, as usual) has invented this phraze and > unfortunatelly it became widely [mis]used... More likely whoever came up with "HTTPS" (Hyper Text Transfer Protocol Secured). Which is different than "S-HTTP" (Secure Hyper Text Transfer Protocol). A journo didn't name it HTTPS. -- This message was sent without a virus, please destroy some files yourself.
![]() |
0 |
![]() |
Kevin A. wrote: > On Sat, 17 Mar 2007 in grc.security, Anthony OZ wrote >>On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote: >> >>> a "secure connection" >>This is nothing more than a misleading phraze. >>The HTTPS connection should be called "the encrypted [and >>authenticated] connection". >>It is just that - an encrypted but not any securier than the >>non-encrypted. >> >>Somebody (an illiterate journalist, as usual) has invented this phraze >>and unfortunatelly it became widely [mis]used... > > And IIRC it's relatively easy for a network admin to set up an > undetectable Man In The Middle attack that would let them see all the > traffic unencrypted even though it was encrypted at both ends. FWIW, the admin would have to be more than just the "network" admin. They would also have to be the local system administrator (or the Domain administrator, in a thinish-client setup) in order to install locally controlled root keys at the local endpoints. Regards, Sam
![]() |
0 |
![]() |
On Sun, 18 Mar 2007 08:50:22 +0300, Tim <tim@mail.localhost.invalid> wrote: > I would disagree. My kept-private conversation with someone *is* secure. Something "secured" is "secure", your private conversation is just "private". For me - "security" is "absence of threats and dangers". The "privacy" in itself does NOT prevent the second party from causing you all sorts of troubles. Tony. -- Properly read, the bible is the most potent force for atheism ever conceived.
![]() |
0 |
![]() |
Anthony OZ wrote: > On Sun, 18 Mar 2007 08:50:22 +0300, Tim <tim@mail.localhost.invalid> wrote: > >> I would disagree. My kept-private conversation with someone *is* secure. > Something "secured" is "secure", your private conversation is just > "private". > > For me - "security" is "absence of threats and dangers". So nothing ever will be secure. What have we done to be condemned to existence on an imperfect world? > The "privacy" in itself does NOT prevent the second party from causing > you all sorts of troubles. As long as wet-ware is involved troubles are always lurking on the horizon. "Privacy" is the closest we can come to "safety" so it is not a bad goal even if it doesn't mean complete security. > > Tony. > > --Properly read, the bible is the most potent force for atheism ever > conceived.
![]() |
0 |
![]() |