|
![](/i/fill.gif) |
>> So, just because it does strong authentication, you think that means the
>> actual data is encrypted?
>
> It's actually a certificate verification message, not a 'strong
> authentication' message. It's asking about an SSL certificate that's
> used to encrypt the entire communications channel.
>
> You know, like actual security.
Fact: It doesn't matter how strong the authentication process is. This
does not automatically mean that the data that follows is encrypted in
any way at all.
> Don't believe me? Fine, I'll do a wireshark trace on it.
>
> Nope, 1200 packets, nothing in the clear.
And how do you tell whether random binary data is encrypted or not?
> "128-bit encryption, using the RC4 encryption algorithm, as of Version 6.
RC4? Man, how ancient is that? You realise it was a weakness in RC4 that
allowed WEP to be broken, right?
> Nope, I guess you're right. Adding 128-bit encryption isn't security.
Fact: The number of bits in the encryption key is not directly related
to how secure the encryption is. Triple DES has a 168-bit key, and it's
widely considered far too insecure to use.
> "Support for Transport Layer Security (TLS) 1.0 on both server and client
> ends (set as default)."
Now that's more like it.
(Sadly, on further investigation, it appears that TLS 1 still uses RC4
or Triple-DES. So much for HTTPS being secure...)
> Clearly I don't have a clue what I'm talking about.
I'm still left wondering how many of these features are actually turned
on by default. Every Windows protocol I know of sends everything
unencrypted by default, and most of them offer no possibility of adding
encryption. I'd be rather surprised if RDP is different.
> Oh, and I pointed you at an SSH server for Windows. It comes with Cygwin.
Right. I didn't know about that when I set this up.
Post a reply to this message
|
![](/i/fill.gif) |