Meeting the InCommon Assurance profile criteria using Active Directory

[Ron Thielen <>]

Yes, or you could use something like Fiddler to capture and replay all HTTP(S) traffic.  However, the point of protected channels is to protect the data between the endpoints.  If the threat agent has inordinate access to either endpoint, then it’s game over anyway.  It’s about the channel, not the termination points. 

 

If you want more to worry about with regard to stupid things that can happen at endpoints, look at http://blog.elliottkember.com/chromes-insane-password-security-strategy

 

Ron

 

From: [mailto:] On Behalf Of Capehart,Jeffrey D
Sent: Thursday, September 12, 2013 1:06 PM
To:
Subject: [AD-Assurance] More info on SSL/TLS

 

I saw this on the SANS blog and Newsbites and thought it might be interesting reading since we have been talking about SSL and TLS.  Just in case you were wondering how hard it might be to decrypt your protected channel, this post goes into detail showing how easy it is to do.

-Jeff C.

 

https://isc.sans.edu/diary/Psst.+Your+Browser+Knows+All+Your+Secrets./16415

 

“I got to wondering one day how difficult it would be to find the crypto keys used by my browser and a web server for TLS sessions. I figured it would involve a memory dump, volatility, trial and error and maybe a little bit of luck. So I started looking around and like so many things in life….all you have to do is ask. Really. Just ask your browser to give you the secrets and it will! As icing on the cake, Wireshark will read in those secrets and decrypt the data for you. Here’s a quick rundown of the steps:”

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu