Re: [fw-wiz] Security of HTTPS

From: Frank Knobbe (frank_at_knobbe.us)
Date: 11/28/04

  • Next message: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
    To: Ng Pheng Siong <ngps@netmemetic.com>
    Date: Sun, 28 Nov 2004 10:43:47 -0600
    
    
    

    On Sun, 2004-11-28 at 10:15, Ng Pheng Siong wrote:
    > In SSL/TLS, the client certificate request is optional, and its typical
    > use, HTTPS, does not require client certificates, so there is no client
    > public/private key here that can be used to "transfer encrypted key
    > material".

    Right. But even if client certificates are used, these are only used for
    authentication (signature check) and not for encryption during
    master-key negotiation.

    That issue is something I have on my mind ever since Michael Warfields
    discussion about this in Focus-IDS. I'd like to remember that issue for
    comparisons between SSL VPNs with other type of VPNs (IPSec or SSH) as
    these do not have the same ...uhm... weakness. I still think people put
    too much stock in SSL VPNs.

    Oh well...

    Cheers,
    Frank

    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



  • Next message: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"

    Relevant Pages

    • Re: Security online
      ... There are some alternatives to https SSL: ... Client certificates which map to Windows NT user accounts. ... Are you saying that as long as the padlock symbol is there the https doesn't ...
      (uk.people.silversurfers)
    • client HTTP authentication
      ... We would like to use HTTPS with the build in IE on the our Wince.net 4.2 ... But to make it more secure it would be great to use client certificates on ... can select when generation the wince image? ...
      (microsoft.public.windowsce.platbuilder)