[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL

To: "Paul Heber" <pheber@qantas.com.au>
Subject: Re: Fw: IPSec vs. SSL
From: "Khaja E. Ahmed" <khaja.ahmed@home.com>
Date: Mon, 18 Dec 2000 23:29:30 -0800
Cc: "Steven M. Bellovin" <smb@research.att.com>, "Paul Heber" <pheber@qantas.com.au>, "Henry Spencer" <henry@spsystems.net>, <ipsec@lists.tislabs.com>
References: <OFB9BE0D8B.F1C4D54F-ON4A2569BA.0029ADEA@qantas.com.au>
Sender: owner-ipsec@lists.tislabs.com

In reading the article there appears to be no weakness in the SSL protocol
itself that is at issue.  What seems to be the concern is that browsers and
user desktops are easy to thwart and the platform itself may be untrusted.
That combined with use's not paying close attention to the visual cues and
security indicators and questions in the UI appear to be what the author is
concerned about.  The third factor that the author points to is that the
lower level software that binds IP addresses to a given MAC address and
weaknesses in DNS exacerbate the problem.

These are long standing concerns that although very real do not adversely
affect ( at present at least) the bulk of SSL usage.  I was wondering if the
SSL protocol itself has been "broken".  That does not seem to be the case.
Do let me know if I missed something in the article.

Khaja

----- Original Message -----
From: "Paul Heber" <pheber@qantas.com.au>
To: "Khaja E. Ahmed" <khaja.ahmed@home.com>
Cc: "Steven M. Bellovin" <smb@research.att.com>; "Paul Heber"
<pheber@qantas.com.au>; "Henry Spencer" <henry@spsystems.net>;
<ipsec@lists.tislabs.com>
Sent: Monday, December 18, 2000 11:35 PM
Subject: Re: Fw: IPSec vs. SSL


> Khaja,
>
> The following article.
>
> http://securityportal.com/cover/coverstory20001218.html
>
> Paul
>
>
>
> From: "Khaja E. Ahmed" <khaja.ahmed@home.com> on 18/12/2000 22:11 PST
>
> To:   "Steven M. Bellovin" <smb@research.att.com>, "Paul Heber"
>       <pheber@qantas.com.au>
> cc:   "Paul Heber" <pheber@qantas.com.au>, "Henry Spencer"
>       <henry@spsystems.net>, <ipsec@lists.tislabs.com>
> Subject:  Re: Fw: IPSec vs. SSL
>
>
> ----- Original Message -----
> From: "Paul Heber" <pheber@qantas.com.au>
> > I agree that with SSL and tools such
> > as Dsniff the man in the middle is an issue.
>
> I am not quite sure I understand how SSL is susceptible to the man in the
> middle attack.  Could you explain this a bit more or point me to some
> write-up on this.  If the client encrypts a session key with the public
key
> of a server pretty much the only thing that can decrypt the key is the
> server which has the private key corresponding to the public key in the
> certificate.  I don't see how a man in the middle attack can be launched
> here.
>
>
> ----- Original Message -----
> From: "Paul Heber" <pheber@qantas.com.au>
> > I agree SSL is less secure and needs to be done from individual servers
> as
>
> > well, so the encryption has to be done at multiple points and servers,
> but
> > is also much simpler to deploy.
>
> Why is SSL less secure?  Digital certificate based server authentication,
> 1024 bit RSA keys for encryption of the session key, a perfectly secure
> session key establishment mechanism, 3DES encryption.  Where is the
> security
> weakness.  Could you please explain or point me to some analysis of
> weaknesses you are referring to.  In fact with client auth I see no reason
> why it is in any way less secure than IPSec.
>
> Khaja
>
>
>
>
>
>
>
>

Follow-Ups:

Re: Fw: IPSec vs. SSL

From: Joel M Snyder <Joel.Snyder@Opus1.COM>

References:

Re: Fw: IPSec vs. SSL

From: "Paul Heber" <pheber@qantas.com.au>

Prev by Date: Re: Fw: IPSec vs. SSL
Next by Date: Re: Fw: IPSec vs. SSL
Prev by thread: Re: Fw: IPSec vs. SSL
Next by thread: Re: Fw: IPSec vs. SSL
Index(es):
- Main
- Thread