I have been in communication with Mr. Quakenbush. He says that only the demo version sends passwords in plaintext (I clearly have no mechanism to confirm this); bought versions use SSL. He has not yet addressed the issue of impersonating the server. He says that the Web site will be updated to reflect recent developments. It looks like this is better than it looks; presumably the l0pht folks only had access to a demo version. The Quakenbush Web site does make it clear that the 'full' version uses SSL, but not prominently. Assuming that the issue of impersonating the server is addressed, Quakenbush seem to be better than first portrayed here - although clearly the demo version should be more obviously marked as to how extremely dangerous it is. [There was the usual marketing blurb about how they write tools for crackers and we write them for good guys and so our tools must be better.] -- David Damerell, Computer Officer, Department of Chemistry, Cambridge Work: djsd100at_private Personal: damerellat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:53 PDT