[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SSL v IPSEC for management?

To: "'marcvh@aventail.com'" <marcvh@aventail.com>, Steven Lee <slee@cygnacom.com>
Subject: RE: SSL v IPSEC for management?
From: Steven Lee <slee@cygnacom.com>
Date: Tue, 26 Jan 1999 10:48:18 -0500
Cc: "'Waters Stephen'" <stephen.Waters@cabletron.com>, "Ipsec (E-mail)" <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

If the server certificate is not signed by one of the root CA installed
in your browser, then you cannot authenticate.  Marc, are you assuming
that the certificate is issued by one of the root CA? 



> -----Original Message-----
> From:	marcvh@aventail.com [SMTP:marcvh@aventail.com]
> Sent:	Tuesday, January 26, 1999 10:32 AM
> To:	Steven Lee
> Cc:	'Waters Stephen'; Ipsec (E-mail)
> Subject:	Re: SSL v IPSEC for management? 
> 
> Steven Lee said:
> > There are some trade-offs in using the SSL; however, one of the top
> > issue would be that a client cannot authenticate the server.
> Therfore,
> > a server could someone pretending to be a trusted party and there is
> no
> > way for the client to authenticate this information.
> 
> What?  That's not true at all; it's just as possible for an SSL client
> to
> verify the server's certificate information as it is for a client of
> any
> other public-key based security protocol.  Regarding the other
> discussion,
> in SSL (and HTTPS, which is HTTP inside SSL/TLS) authentication of the
> client
> to the server is generally available as an optional service, while
> authentication of the server to the client is generally mandatory.
> 
> Re the original poster, no, SSL is not known to be vulnerable to
> replay
> attacks.  Which one is more suited to your purpose is hard to say from
> the information you give; SSL is at a higher level, can easily be
> entirely
> contained within an application instead of requiring network stack
> issues,
> can't protect UDP data, may be more vulnerable to denial-of-service
> attacks,
> is probably more vulnerable to traffic analysis, etc. relative to
> IPSEC.
> You'll have to decide which of these things are important to you.
> 
> I don't understand how SSL per se is vunlerable to things like relay
> attacks or address-spoofing attacks, although a poorly designed
> application
> that used SSL could have such weaknesses.
> 
> - Marc
> 
> -- 
> Marc VanHeyningen                 marcvh@aventail.com
> Internet Security Architect
> Aventail                          http://www.aventail.com/
> 
>

Follow-Ups:

Re: SSL v IPSEC for management?

From: marcvh@aventail.com (Marc VanHeyningen)

Prev by Date: Re: SSL v IPSEC for management?
Next by Date: New IPSec Monitoring MIB draft
Prev by thread: Re: SSL v IPSEC for management?
Next by thread: Re: SSL v IPSEC for management?
Index(es):
- Main
- Thread