Email or username:

Password:

Forgot your password?
All posts daniel://'s posts Post Back to profile
Top-level
0xC0DEC0DE07E8

@JessTheUnstill
Yup. This device is probably transmitting stuff in the clear because it’s got a web server running without encryption. The “normal” answer would be to enable TLS on your web server, but how do you do that when you’re embedded and cant just bake in CA-signed TLS certs?
The thing that interests me about this failure is that you can pass-the-hash to get in.

@tknarr @colin_mcmillen @bagder

15 April at 14:47 | Wall-to-wall | Open on hachyderm.io
2 comments
Colin McMillen

@c0dec0dec0de @JessTheUnstill @tknarr @bagder my printer self-signs a cert. That's better than clear text even if there's the browser warning.

15 April at 16:02 | Open on piaille.fr
0xC0DEC0DE07E8 replied to Colin

@colin_mcmillen
Yeah, I’m thinking that’s probably true. You don’t have proof you’re talking to the right device (and therefore vulnerable to MITM attacks notionally but you connected to this thing via an IP address that you got out-of-band so unlikely), but you’re getting the other security benefits (including encrypting your password in transit and resistance to replay attacks).
@JessTheUnstill @tknarr @bagder

15 April at 16:20 | Open on hachyderm.io
Go Up