Re: Mozilla Thunderbird SMTP down-negotiation weakness

From: Jason Haar (
Date: 10/26/05

  • Next message: "Remote MySQL User on Cpanel Default installation with blank password"
    Date: Thu, 27 Oct 2005 10:32:53 +1300
    To: Bob Beck <>

    Bob Beck wrote:

    > Sit you your faviorite wireless network and MITM your faviorite ssl
    >web sites off it. If your user population is very intelligent, maybe
    >only 9 out of 10 will click the "Windows is annoying me with a box and
    >an OK button - I will click OK to keep going" popup and ignore the
    >certificate mismatch utterly. Otherwise the only hard part will be
    >finding a user that doesn't ignore the mismatch - it's so easy to
    >get passwords this way it isn't even sporting. It's like whacking baby
    >seals with a stick.
    > SSL/TLS applications are just the latest most fertile ground where
    >software designers have put in a crutches for lazy stupid people thereby
    >rendering something kinda ok into something mostly useless.
    Well said. I don't see anyone complaining that MSIE allows you to
    click-through the warning that the presented cert doesn't match the
    hostname and carry on and get compromised. Same with signing executables.

    Users don't know what it means - and they "just want it to work!".
    Frankly, there is only so much technology can do. At some stage people
    have to start taking responsibility for their choices (shall we measure
    the IQ of people who open GIF-file based password protected zip files
    and run the contents!?!?!? Sheesh)

    Actually I'm glad you can click-through and ignore cert mismatches.
    Without it I couldn't read many self-signed Web sites where they use
    certs just to protect their data in transit. It would smack of monopoly
    practices if only Verisign-signed sites/whatever worked within browsers.

    Jason Haar
    Information Security Manager, Trimble Navigation Ltd.
    Phone: +64 3 9635 377 Fax: +64 3 9635 417
    PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

  • Next message: "Remote MySQL User on Cpanel Default installation with blank password"