[stunnel-users] Cannot connect to SBC/yahoo to send (or telnet)

James Moe jimoe at sohnen-moe.com
Fri Dec 5 20:28:20 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/08 02:10 am, Michal Trojnara wrote:
>
> Just be aware a configuration without any authentication (a certificate is
> not sent nor verified) is vulnerable to trivial active (MiTM) attacks.
> There are various lamer-friendly tools available, so an attack is no more
> difficult than sniffing a plaintext connection.
>
  (I had sent on 1-Dec-2008 but it never showed up on the list. :-( )

<rant>
  Computer security makes me feel stupid. It has got to be one of the most
opaque concepts in the industry. The problems discussed in this thread are
typical.
  sbc/yahoo changed their session setup to require an encrypted
connection. Fine. Then they refuse a session if the client offers a
certificate without a CA chain, i.e., self-signed. But allows a connection
when no client certificate is offered at all.
  To verify that sbc is really sbc, a CA certificate is needed from sbc.
But to get said certificate an extremely obscure method must be used. (And
how do I know that the site I connected to is really sbc since I do not
have a CA certificate?) Then more obscure file manipulation and setup is
required for Stunnel.
  It is no wonder that computer security is bungled so often. It is set up
to do so.
  I see a lot of "All you have to do is these 247 steps..." to accomplish
a "simple" security task. That's assuming I have all of the tools needed.
  I am sure that, somewhere, there must be a clear discussion of how
SSL/TSL certificates work, what the client may provide, what the server
may provide, what is necessary to establish a secure, authenticated
session. I have not found it.
</rant>

- --
jimoe (at) sohnen-moe (dot) com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (OS/2)

iD8DBQFJOYDUzTcr8Prq0ZMRAmAPAKC2A4qfbmHWVIVhvXUqJRkad83j5ACeIuDE
nt7r/rAdg1ebb5oNOAI55G4=
=FtQ1
-----END PGP SIGNATURE-----



More information about the stunnel-users mailing list