[WEB SECURITY] Turning off SSL after a hack?

Brian Eaton eaton.lists at gmail.com
Wed Jul 12 13:18:37 EDT 2006


On 7/12/06, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
> I have a hard time swallowing that SSL was actually turned off. More
> likely the author didn't get the facts straight. But who knows,
> stranger things have happened.

It sounds like they disabled outbound SSL traffic.

I saw one security policy that dictated no encryption be used on the
internal side of the DMZ, to make sure that the IDS had a chance to
observe all the traffic.  Encryption was used for external
communications, however.  The risk trade-offs are interesting.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list