RE: [fw-wiz] Security of HTTPS
From: Ben Nagy (ben_at_iagu.net)
Date: 11/23/04
- Previous message: Jian Zhen: "Re: [fw-wiz] ASP/Hosting Architecture"
- In reply to: Alex Bihlmaier: "[fw-wiz] Security of HTTPS"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Security of HTTPS"
- Reply: Marcus J. Ranum: "RE: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Alex Bihlmaier'" <thalunil@kallisti.de>, <firewall-wizards@honor.icsalabs.com> Date: Tue, 23 Nov 2004 09:24:45 +0100
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Alex Bihlmaier
[...]
> I am curious how strong the security of https can be.
I don't know if this is a troll. If you're some super advanced
crypto-protocol guy trying to send a minimalist email, I may have been
fooled.
> Is there some possibility of a MITM attack?
No.
(Well..... Yes.)
HTTPS relies on SSL / TLS. One of the three fundamental design goals[1] for
TLS is:
" The negotiation is reliable: no attacker can modify the
negotiation communication without being detected by the
parties to the communication."
There are, sadly, still a lot of possible ways to introduce a MitM attack -
almost all of these rely on browser bugs (not an SSL problem), the
stupidness of the "trusted third party" model typified by commercial
Certification Authorities (not really an SSL problem either), or total
mis-use of the protocol to ignore server authentication (nobody does that
although it is supported in theory).
Basically, the model is fine, but the implementation is often sloppy enough
to allow strange things to happen. The fact that most users are now trained
to ignore certificate error warnings doesn't help.
> Are there any papers out there outlining this aspect of security?
Start with the SSL spec. [2] Then read the TLS RFC [1]. You might also try a
FAQ like this one [3] which includes links through to higher level
summaries.
Cheers,
ben
[1] http://www.faqs.org/rfcs/rfc2246.html
[2] http://wp.netscape.com/eng/ssl3/draft302.txt
[3] http://www.faqs.org/faqs/computer-security/ssl-talk-faq/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jian Zhen: "Re: [fw-wiz] ASP/Hosting Architecture"
- In reply to: Alex Bihlmaier: "[fw-wiz] Security of HTTPS"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Security of HTTPS"
- Reply: Marcus J. Ranum: "RE: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
