RE: [fw-wiz] Security of HTTPS

From: Ben Nagy (
Date: 11/29/04

  • Next message: Christopher Hicks: "Re: [fw-wiz] smtp proxy on firewall"
    To: "'Frank Knobbe'" <>, "'Ng Pheng Siong'" <>
    Date: Mon, 29 Nov 2004 10:04:14 +0100

    > -----Original Message-----
    > On Sun, 2004-11-28 at 10:15, Ng Pheng Siong wrote:
    > > In SSL/TLS, the client certificate request is optional, and
    > its typical
    > > use, HTTPS, does not require client certificates, so there
    > is no client
    > > public/private key here that can be used to "transfer encrypted key
    > > material".
    > Right. But even if client certificates are used, these are
    > only used for
    > authentication (signature check) and not for encryption during
    > master-key negotiation.

    If you're using client certs then you should be using one of the
    Diffie-Hellman cipher suites, shouldn't you? DH is not vulnerable to this
    type of passive interception attack, and couldn't be attacked in this
    way[1]. Certificate protected DH is still vulnerable to an active MitM if
    someone has a copy of the server's private key.

    However, the huge bulk of connections use the RSA cipher specs which _are_
    vulneranble to the attack you describe. Looking at it in this light, I am
    trying to work out why the implementors chose this construction (sending the
    PMS simply encrypted with the server cert) instead of "one side signed"
    Diffie Hellman, like IPSec-IKE, which would have obviated the passive
    sniffing attack. Does anyone know?



    [1] eg,


    firewall-wizards mailing list

  • Next message: Christopher Hicks: "Re: [fw-wiz] smtp proxy on firewall"