On Wed, 23 Oct 2002, Roland Postle wrote: > I disagree. How do you detect an attack (involving a low level buffer > overflow etc..) that rides inside an encrypted session? The whole issue of IDSes (and virus scanners) dealing with encrypted sessions (SSL, SSH, PGP mail, etc) is a mess in all aspects - no matter whether you talk about attack detection, covert channel detection, policy enforcement, etc, and it's a tough call - either a matter of host-based analysis on the endpoint; complex key management and transparent decryption; using centralized encryption mechanisms, or such. My statement applied only to sessions that can be viewed, either on the wire or on the endpoint. Yes, saying this may be too much, yet I still stand by the opinion this is the case in general, to which there may be some fairly specific exceptions. > Once again privacy and protection come head to head. Using encryption > compromises your network, Compromises the infrastructure, protects the information. You can't have privacy with compromised infrastructure, you can't have privacy if your sessions are being watched or tampered with... Don't we all love that?;) -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2002-10-23 17:36 --
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 15:09:44 PDT