[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL v IPSEC for management?

To: "Steven Lee" <slee@cygnacom.com>
Subject: Re: SSL v IPSEC for management?
From: "kwok c. lee" <kclee@mediaone.net>
Date: Wed, 27 Jan 1999 00:00:35 -0500
Cc: "Ipsec (E-mail)" <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

In this case, the client simply cannot trust the server.
The issue here is that it is possible for the SSL client to authenticate
the server.


----- Original Message -----
From: Steven Lee <slee@cygnacom.com>
To: <marcvh@aventail.com>; Steven Lee <slee@cygnacom.com>
Cc: 'Waters Stephen' <stephen.Waters@cabletron.com>; Ipsec (E-mail)
<ipsec@tis.com>
Sent: Tuesday, January 26, 1999 10:48 AM
Subject: RE: SSL v IPSEC for management?


>If the server certificate is not signed by one of the root CA installed
>in your browser, then you cannot authenticate.  Marc, are you assuming
>that the certificate is issued by one of the root CA?
>
>
>
>> -----Original Message-----
>> From: marcvh@aventail.com [SMTP:marcvh@aventail.com]
>> Sent: Tuesday, January 26, 1999 10:32 AM
>> To: Steven Lee
>> Cc: 'Waters Stephen'; Ipsec (E-mail)
>> Subject: Re: SSL v IPSEC for management?
>>
>> Steven Lee said:
>> > There are some trade-offs in using the SSL; however, one of the top
>> > issue would be that a client cannot authenticate the server.
>> Therfore,
>> > a server could someone pretending to be a trusted party and there is
>> no
>> > way for the client to authenticate this information.
>>
>> What?  That's not true at all; it's just as possible for an SSL client
>> to
>> verify the server's certificate information as it is for a client of
>> any
>> other public-key based security protocol.  Regarding the other
>> discussion,
>> in SSL (and HTTPS, which is HTTP inside SSL/TLS) authentication of the
>> client
>> to the server is generally available as an optional service, while
>> authentication of the server to the client is generally mandatory.
>>
>> Re the original poster, no, SSL is not known to be vulnerable to
>> replay
>> attacks.  Which one is more suited to your purpose is hard to say from
>> the information you give; SSL is at a higher level, can easily be
>> entirely
>> contained within an application instead of requiring network stack
>> issues,
>> can't protect UDP data, may be more vulnerable to denial-of-service
>> attacks,
>> is probably more vulnerable to traffic analysis, etc. relative to
>> IPSEC.
>> You'll have to decide which of these things are important to you.
>>
>> I don't understand how SSL per se is vunlerable to things like relay
>> attacks or address-spoofing attacks, although a poorly designed
>> application
>> that used SSL could have such weaknesses.
>>
>> - Marc
>>
>> --
>> Marc VanHeyningen                 marcvh@aventail.com
>> Internet Security Architect
>> Aventail                          http://www.aventail.com/
>>
>>
>

Follow-Ups:

Re: SSL v IPSEC for management?

From: "Michael H. Warfield" <mhw@wittsend.com>

Prev by Date: RE: New IPSec Monitoring MIB draft
Next by Date: US govt. restrictions on export/import of IPSEC implementations
Prev by thread: RE: SSL v IPSEC for management?
Next by thread: Re: SSL v IPSEC for management?
Index(es):
- Main
- Thread