[stunnel-users] No encryption?
Jan Meijer
jan.meijer at surfnet.nl
Tue Sep 27 07:39:13 CEST 2005
On Mon, 26 Sep 2005, Revelancefound at aol.com wrote:
> It seems that stunnel does not encrypt outward traffic from my
> pc. I was able to get stunnel to work in the first place by having different
> proxies for each protocol. However, to test if my 8196 bit + x509 certificate
> keys actually encrypted my traffic I decided to do a test. I had sniffed my own
> computer using Cain and Able while logging in to my home router. To my
> disappointment, the sniffer picked up my username and password in plain text through
> HTTP protocol several times. Either that or Able can crack 256bit level
> encryption (256 x 32 = 8196) rather quickly.
Cain and Able is not the appropriate tool to sniff traffic, use ethereal.
Cain and Able is a very appropriate tool to spoof SSL connections to
unsuspecting users. You have not turned on certificate
verification in your stunnel configuration file so from an stunnel point
of view that makes you an unsuspecting user.
Summarized:
1. I think you're being fooled by Cain and Able.
2. Don't use Cain and Able on a production machine. Bad bad bad.
Jan
--
http://www.surfnet.nl/organisatie/jame
More information about the stunnel-users
mailing list