 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Aug 4, 2010, at 4:27 PM, Derek Martin wrote: > > Sure it can; all you need to do is brute-force the key. It's just a > string of bits, after all... What makes it effective is it takes > much, much longer to do that, such as to make it impractical. But it > can be done. Teach me to leave something out :). In this case, I meant brute force against the authentication mechanism. This is entirely independent of the SSL wrapper. > This is crazy. Because SSL + auth-digest is auth + encryption... And No, it isn't. It's auth *after* encryption. That is, an encrypted link is created between two parties without either party authenticating the other. Insert MitM attack here. Then the authentication step happens -- with the man in the middle logging your transactions. [...] > This I agree with. The point being that if the pro picks your car, > he's probably going to steal it regardless of what you did to try to > stop him. If he's determined, he can always just tow it. Of course, the analogy doesn't carry over. Data center infiltration is a different skill set :). --Rich P.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
