Frackin script kiddies!!

Wed Aug 4 16:50:31 EDT 2010

On Aug 4, 2010, at 4:27 PM, Derek Martin wrote:
> 
> Sure it can; all you need to do is brute-force the key.  It's just a
> string of bits, after all...  What makes it effective is it takes
> much, much longer to do that, such as to make it impractical.  But it
> can be done.

Teach me to leave something out :).  In this case, I meant brute force against the authentication mechanism.  This is entirely independent of the SSL wrapper.

> This is crazy.  Because SSL + auth-digest is auth + encryption...  And

No, it isn't.  It's auth *after* encryption.  That is, an encrypted link is created between two parties without either party authenticating the other.  Insert MitM attack here.  Then the authentication step happens -- with the man in the middle logging your transactions.

[...]

> This I agree with.  The point being that if the pro picks your car,
> he's probably going to steal it regardless of what you did to try to
> stop him.  If he's determined, he can always just tow it.

Of course, the analogy doesn't carry over.  Data center infiltration is a different skill set :).

--Rich P.