|
![](/i/fill.gif) |
On 17/10/2011 07:10 PM, Darren New wrote:
> Um, lots, yes. You think there haven't been any new internet protocols
> since mid-1990's?
Basically, yes?
>> 3. Since old versions of Windows send everything unencrypted, you would
>> think that means that new versions have to send everything unencrypted
>> too,
>> for the sake of backwards compatibility.
>
> Unless the protocol was invented after SSL, at which point there is no
> backward compatibility requirements with pre-encryption protocols.
Active Directory uses Kerberos authentication, but by default it still
generates weak-arse LANMAN password hashes for backwards compatibility.
So it doesn't matter how strong Kerberos may or may not be, because you
can just attack LANMAN instead.
That's just one example of how backwards compatibility tends to
completely ruin any attempt at security.
Post a reply to this message
|
![](/i/fill.gif) |