Re: [fw-wiz] Security of HTTPS
From: Frank Knobbe (frank_at_knobbe.us)
Date: 11/28/04
- Previous message: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- In reply to: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Next in thread: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Reply: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Ng Pheng Siong <ngps@netmemetic.com> Date: Sun, 28 Nov 2004 10:43:47 -0600
On Sun, 2004-11-28 at 10:15, Ng Pheng Siong wrote:
> In SSL/TLS, the client certificate request is optional, and its typical
> use, HTTPS, does not require client certificates, so there is no client
> public/private key here that can be used to "transfer encrypted key
> material".
Right. But even if client certificates are used, these are only used for
authentication (signature check) and not for encryption during
master-key negotiation.
That issue is something I have on my mind ever since Michael Warfields
discussion about this in Focus-IDS. I'd like to remember that issue for
comparisons between SSL VPNs with other type of VPNs (IPSec or SSH) as
these do not have the same ...uhm... weakness. I still think people put
too much stock in SSL VPNs.
Oh well...
Cheers,
Frank
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- In reply to: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Next in thread: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Reply: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
