[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SSL v IPSEC for management?
You can install additional certificates into your browser and treat them as
trusted. Naturally, these should be retrieved in a secure manner (usually
some out-of-band mechanism). This problem is no different then using certs
with IPSec. You always require a trusted 'root' certificate.
Paul Kierstead
TimeStep Corporation
mailto:pmkierst@timestep.com http:\\www.timestep.com
> -----Original Message-----
> From: Steven Lee [mailto:slee@cygnacom.com]
> Sent: Tuesday, January 26, 1999 10:48 AM
> To: 'marcvh@aventail.com'; Steven Lee
> Cc: 'Waters Stephen'; Ipsec (E-mail)
> Subject: RE: SSL v IPSEC for management?
>
>
> If the server certificate is not signed by one of the root CA
> installed
> in your browser, then you cannot authenticate. Marc, are you assuming
> that the certificate is issued by one of the root CA?
>
>
>
> > -----Original Message-----
> > From: marcvh@aventail.com [SMTP:marcvh@aventail.com]
> > Sent: Tuesday, January 26, 1999 10:32 AM
> > To: Steven Lee
> > Cc: 'Waters Stephen'; Ipsec (E-mail)
> > Subject: Re: SSL v IPSEC for management?
> >
> > Steven Lee said:
> > > There are some trade-offs in using the SSL; however, one
> of the top
> > > issue would be that a client cannot authenticate the server.
> > Therfore,
> > > a server could someone pretending to be a trusted party
> and there is
> > no
> > > way for the client to authenticate this information.
> >
> > What? That's not true at all; it's just as possible for an
> SSL client
> > to
> > verify the server's certificate information as it is for a client of
> > any
> > other public-key based security protocol. Regarding the other
> > discussion,
> > in SSL (and HTTPS, which is HTTP inside SSL/TLS)
> authentication of the
> > client
> > to the server is generally available as an optional service, while
> > authentication of the server to the client is generally mandatory.
> >
> > Re the original poster, no, SSL is not known to be vulnerable to
> > replay
> > attacks. Which one is more suited to your purpose is hard
> to say from
> > the information you give; SSL is at a higher level, can easily be
> > entirely
> > contained within an application instead of requiring network stack
> > issues,
> > can't protect UDP data, may be more vulnerable to denial-of-service
> > attacks,
> > is probably more vulnerable to traffic analysis, etc. relative to
> > IPSEC.
> > You'll have to decide which of these things are important to you.
> >
> > I don't understand how SSL per se is vunlerable to things like relay
> > attacks or address-spoofing attacks, although a poorly designed
> > application
> > that used SSL could have such weaknesses.
> >
> > - Marc
> >
> > --
> > Marc VanHeyningen marcvh@aventail.com
> > Internet Security Architect
> > Aventail http://www.aventail.com/
> >
> >
>