On Mon, 26 Sep 2005, Revelancefound@aol.com wrote:
It seems that stunnel does not encrypt outward traffic from my
pc. I was able to get stunnel to work in the first place by having different proxies for each protocol. However, to test if my 8196 bit + x509 certificate keys actually encrypted my traffic I decided to do a test. I had sniffed my own computer using Cain and Able while logging in to my home router. To my disappointment, the sniffer picked up my username and password in plain text through HTTP protocol several times. Either that or Able can crack 256bit level encryption (256 x 32 = 8196) rather quickly.
Cain and Able is not the appropriate tool to sniff traffic, use ethereal. Cain and Able is a very appropriate tool to spoof SSL connections to unsuspecting users. You have not turned on certificate verification in your stunnel configuration file so from an stunnel point of view that makes you an unsuspecting user.
Summarized: 1. I think you're being fooled by Cain and Able. 2. Don't use Cain and Able on a production machine. Bad bad bad.
Jan