Re: [tlug] telnet'ing to home with Java servlet

[Shawn <javajunkie@example.com>]

On Mon, 2005-10-31 at 22:16 -0500, Jim wrote:
> On Tue, 01 Nov 2005 11:45:43 +0900 Shawn <shawn@example.com> wrote:
> 
> >      4. enter in your commands (ls, grep, cp whatever) and upload file
> >         with password [to this securely, you'd want a list of disposable
> >         passwords that the servlet checks each time before running the
> >         commands.  
> 
> One time passwords are vulnerable to man-in-the-middle attacks. 
> 
> >         Take a copy of the list to work and then send it in].
> >         Actually, you could just submit the file clear text since it is
> >         disposable but I thought pgping it would hide your password
> >         length.  If you did, pgp it, you'd have the ANT file decode the
> >         pgp file.
> 
> What you have is close to tunneling telnet over http.  
> The security of your approach is robustly broken in manifold ways.  
 
I originally thought of using it over https.  I didn't realize that
https via proxy resulted in clear text passwords being used.

Shawn