| Re: PHP mysql_excape but need to search for those items [message #178403 is a reply to message #178401] |
Thu, 14 June 2012 11:40   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/14/2012 2:47 AM, Arno Welzel wrote:
> Jerry Stuckle, 12.06.2012 14:00:
>
>> On 6/12/2012 5:35 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 11.06.2012 23:06:
>>>
>>>> On 6/11/2012 2:38 PM, J.O. Aho wrote:
>>> [...]
>>>> > Don't forget man in the middle, using https will not protect against
>>>> > that.
>>>>
>>>> Actually, it will. HTTPS transmissions are encrypted between the client
>>>> and the server using public/private key encryption. That's the whole
>>>> purpose of HTTPS.
>>>
>>> But only if the client *only* trusts the specific certificate. Otherwise
>>> the man in the middle can just set up a proxy which also accepts SSL
>>> connections and provides a valid certificate. There have been a number
>>> of broken CAs in the past which allowed virtually anyone to create
>>> signed and "trusted" certificates for any domain
>>
>> Setting up a proxy would mean alternations to the domain name servers
>> data. Additionally, the certificate either would not match the domain
>> name or the certificate would not be signed by a recognized authority
>> (which is a good reason to use a trusted certificate).
>
> Nameservers can be compromised - e.g. by cache poisoning.
>
And exactly how often has that occurred? And who has the tools to do it?
>> I don't know of any broken CAs in the past, but there could have been.
>> However, the ones I use won't issue a certificate just to anyone.
>
> And these are?
>
Thwate, for one. Verisign for another.
> Just as a reminder: DigiNotar, Comodo, RSA - just to name a few who
> already got compromised.
>
> Also see:
>
> < http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/>
>
> < http://www.itscolumn.com/2011/09/certificate-authority-hacked-google-faced- mitm-attack/>
>
> The whole model of trusting CAs and not single certificates (as in SSH)
> must be considered broken.
>
>
And you have a better solution?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]