Hi people, I'm not really sure if I should be posting this to this list - please don't flame me *too* much if you think I shouldn't... ;-) I had this idea a while back about setting up a program that listens on one port and then when a connection comes in, negotiates for another and listens on that, and then negotiates for another, passing everything through gpg with pre-defined keys. Eventually, enough 'trust' is built so that the 'charge' is passed to the client. IMO, the advantages of this is based on the fact that i) as there are lots of Syn,Syn/Ack,Acks going on, an traffic sniffer will get more confused (plus all the packets will look the same as they're all gpg encrypted); ii) attacking the initial port will reveal nothing; iii) the port used to send sensitive information is only open briefly; iv) no public keys are passed - they have to be pre-setup. Anyway, it's now coded and available at namkas.com/ncgpg/ As the people on this list seem to know a damn site more about security than me, I was kinda hoping that some of you might be able to take a look and tell me your opinion on it - I'm not really sure who else to turn to. It works currently, and I think is fairly secure, but I'm not sure about i) the security of nc and ii) how to avoid putting the gpg passphrase in the process list when encrypting text (see the code). Hope this isn't too out of place on this list... Thank you, Matthew -- Matthew Sackman Nottingham, ENGLAND --------------------------------------------------------------------- The contents of this email are intended for the indicated recipient(s) only. This may or may not be indicated in the above email as it is enormously easy to fake email addresses (see the relevant RFCs). For security reasons this email is likely to be gnupg signed. On the other hand it may not be if I forgot to do so. In any case, if you are reading this on a Windows based computer then there was no point in me doing so (provided that I remembered) as your computer is most likely being used by yourself and 2.8 other people at the same time (normally without your consent). No responsibility will be accepted by anyone for any of the contents of this email. So tough. If in doubt, go compile Mozilla. --------------------------------------------------------------------
Attachment:
pgpjjxK8KbZ5Q.pgp
Description: PGP signature