Re: [Fed-Talk] Fwd: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
Re: [Fed-Talk] Fwd: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
- Subject: Re: [Fed-Talk] Fwd: [Full-disclosure] GOOD for Enterprise (GMA) below 2.0.2 vulnerable to MITM
- From: Eugene Liderman <email@hidden>
- Date: Tue, 13 Nov 2012 19:18:52 -0500
Hi Jeffrey,
Not sure how much you know about Good's product and what GMA does and how it works… It's very clear that Thierry below does not…
1) What company would disclose a vulnerability via the iTunes App Store, especially a company that does business with the Federal Government?
2) You can clearly see Thierry never actually tested Good's product because if he had, he would have known that GMA is a INTRANET only browser that uses 2 layers of encryption before hitting a reverse proxy that sits behind the perimeter firewall at a particular Enterprise/Agency. As a result it is not susceptible to a MITM/MITB attack using DNS Cache Poisoning, ARP Spoofing, or any other method over 3G or WiFi.
So in summary yes Good's GMA browser did not do certificate validation/revocation but being for INTRANET only sites, we could both agree that the risk would primarily be around an insider attack. Definitely not down playing that because it's a valid security concern and does occur. That being said, this was not something that Good hid from it's customers. It's been noted in every admin guide as a limitation until now which is why it was noted in iTunes as a feature enhancement.
Yes I work for Good, no I am not endorsing my product and I rarely chime in on Fed-Talk but felt this was one of those appropriate times.
-Eugene
On Tuesday, November 13, 2012 at 6:39 PM, Jeffrey Walton wrote:
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden