OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alex Alten (Altenhome.com)
Date: Fri Mar 30 2001 - 00:00:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    At 09:40 AM 3/28/2001 -0800, you wrote:
    >> At 08:08 AM 3/28/2001 -0800, Eric Rescorla wrote:
    >> >Huh? You don't consider people using SSL to send their credit
    >> >card numbers around to be large scale deployment?
    >>
    >> <opinions>
    >> I do not consider SSL to be a success from a security view.
    >This is a widely held belief but I don't think it stands up
    >to much examination.
    >

    Go take a look at the GAO report at one of these URLs. There's
    a section discussing SSL. It lays to rest any security illusions
    about SSL (basically there's not much security to it).

    http://www.gao.gov/cgi-bin/getrpt?rptno=gao-01-277
    http://www.gao.gov/new.items/d01277.pdf

    >> It is widespread, and provides decent transport level
    >> security. It does not use RSA effectively at all.
    >I think the claim that it doesn't use RSA effectively needs
    >some support.
    >

    Again, go read the GAO report.

    >> The whole cert issuing process is a joke.
    >Really? Aside from the current Verisign/Microsoft bungle (which
    >wasn't an SSL certificate) can you name any instance where a
    >reputable CA has given a certificate to the wrong person.
    >

    Hmm...you should take a look at code the *above* average
    programmer writes while using a library (like the Phaos SSLava).
    They'll accept a signature chain of certs that includes a
    self/signed server cert (be it Verisign or some other CA).
    After examining three products from one fairly large software
    firm, I come to the conclusion that maybe close to 100% of
    the apps using SSL are deeply flawed from a security point of
    view. My observations include mistakes such as using software
    to generate random number seeds and sharing the same
    private/public key pair among multiple users or machines.

    >> And consumers
    >> simply do not pay any attention to their side at all.
    >>

    They don't have to, Visa provides what SSL lacks.

    >> IMHO, SSL is a success in a marketing view, nothing more
    >Before SSL we had lots of examples of passwords being sniffed
    >off the wire. I don't know of any instance where someone has
    >managed to compromise an SSL session and recover a credit
    >card # in the wild. Do you? If not, it seems to me that
    >this is a pretty good argument that SSL is a success from
    >a security perspective as well.
    >

    Really? Given the way an IP routing network operates, I suspect
    that this very message I'm sending you is broken up into small
    packets and sent helter skelter all over the net only to be properly
    reassembled by your IP stack. Anyone out in the wild will have
    a heck of a time getting enough of them to make much sense of my
    typing.

    - Alex 

    --

    Alex Alten

    AltenHome.Com