[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL


The following article.



From: "Khaja E. Ahmed" <khaja.ahmed@home.com> on 18/12/2000 22:11 PST

To:   "Steven M. Bellovin" <smb@research.att.com>, "Paul Heber"
cc:   "Paul Heber" <pheber@qantas.com.au>, "Henry Spencer"
      <henry@spsystems.net>, <ipsec@lists.tislabs.com>
Subject:  Re: Fw: IPSec vs. SSL

----- Original Message -----
From: "Paul Heber" <pheber@qantas.com.au>
> I agree that with SSL and tools such
> as Dsniff the man in the middle is an issue.

I am not quite sure I understand how SSL is susceptible to the man in the
middle attack.  Could you explain this a bit more or point me to some
write-up on this.  If the client encrypts a session key with the public key
of a server pretty much the only thing that can decrypt the key is the
server which has the private key corresponding to the public key in the
certificate.  I don't see how a man in the middle attack can be launched

----- Original Message -----
From: "Paul Heber" <pheber@qantas.com.au>
> I agree SSL is less secure and needs to be done from individual servers

> well, so the encryption has to be done at multiple points and servers,
> is also much simpler to deploy.

Why is SSL less secure?  Digital certificate based server authentication,
1024 bit RSA keys for encryption of the session key, a perfectly secure
session key establishment mechanism, 3DES encryption.  Where is the
weakness.  Could you please explain or point me to some analysis of
weaknesses you are referring to.  In fact with client auth I see no reason
why it is in any way less secure than IPSec.