[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL v IPSEC for management?

To: marcvh@aventail.com (Marc VanHeyningen)
Subject: Re: SSL v IPSEC for management?
From: "Michael H. Warfield" <mhw@wittsend.com>
Date: Wed, 27 Jan 1999 18:32:58 -0500 (EST)
Cc: mhw@wittsend.com, kclee@mediaone.net, slee@cygnacom.com, ipsec@tis.com
In-Reply-To: <592.917478951@smtp.aventail.com> from Marc VanHeyningen at "Jan 27, 1999 3:15:51 pm"
Sender: owner-ipsec@ex.tis.com

Marc VanHeyningen enscribed thusly:
> Michael H. Warfield said:
> > 	The client shouldn't have to trust the server.  The server presents
> > a certificate which, presumably, has some information which indelibly
> > links that certificate to the server.  In the case of web servers, that's
> > generally the common name in the certificate matching the server name
> > you are contacting.  This does rely on information in the DNS being
> > acurate.  My server, www.wittsend.com, presents a certificate claiming
> > to be www.wittsend.com and DNS lookup on www.wittsend.com confirms this.

> I agree with everything you say except the part about DNS.

> A good SSL (or anything else, for that matter) implementation should not
> rely on DNS resolution.  The DNS lookup of the address is necessary so
> that the IP layer can know where it is connecting to, but the SSL layer
> should be comparing the name as typed in by the user with the name as
> presented in the certificate, not a name which has undergone forward or
> reverse or any other form of DNS.

	Oh!  I agree...  The SSL layer should compare the name typed in by
the user with the name presented in the certificate.  What I meant was that
it should ALSO compare with DNS.  You type in www.wittsend.com and you
get back a certificate that says www.wittsend.com but the DNS says "no,
that's really foo.scruffy.lowlife.offshore".  Ok, what do you do then?

> This can pose some issues; if instead of trying to connect to www.wittsend.com
> I instead type in the IP address it happens to resolve to, then I'll be
> unable to know whether I connected to the right place unless either the
> certificate contains the IP address as well as the name, or I choose to
> trust reverse DNS.  The easiest solution is "don't do that."

	Agreed.  What I meant was that DNS should be yet another level of
double check that you are doing what you think you are doing.  I didn't mean
it instead of checking you got what you asked for.

	Same thing holds true with virtual servers.  You can get to the
same server as "www.wittsend.com" or "alcove.wittsend.com" (same address)
or "www.bdcustom.com" (same system, different address).  The certificate
will only match on "www.wittsend.com" (I don't have a cert for bdcustom
and alcove is the cname for the iron).  You want to contact www.wittsend.com
you use www.wittsend.com, you don't use alcove.wittsend.com or 130.205.0.22.

> - Marc

> -- 
> Marc VanHeyningen                 marcvh@aventail.com
> Internet Security Architect
> Aventail                          http://www.aventail.com/

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

References:

Re: SSL v IPSEC for management?

From: marcvh@aventail.com (Marc VanHeyningen)

Prev by Date: Re: SSL v IPSEC for management?
Next by Date: transport-friendly ESP
Prev by thread: Re: SSL v IPSEC for management?
Next by thread: New archive of the IPsec mailing list
Index(es):
- Main
- Thread