RE: [fw-wiz] Security of HTTPS
From: Ben Nagy (ben_at_iagu.net)
To: "'Frank Knobbe'" <firstname.lastname@example.org>, "'Ng Pheng Siong'" <email@example.com> Date: Mon, 29 Nov 2004 10:04:14 +0100
> -----Original Message-----
> On Sun, 2004-11-28 at 10:15, Ng Pheng Siong wrote:
> > In SSL/TLS, the client certificate request is optional, and
> its typical
> > use, HTTPS, does not require client certificates, so there
> is no client
> > public/private key here that can be used to "transfer encrypted key
> > material".
> Right. But even if client certificates are used, these are
> only used for
> authentication (signature check) and not for encryption during
> master-key negotiation.
If you're using client certs then you should be using one of the
Diffie-Hellman cipher suites, shouldn't you? DH is not vulnerable to this
type of passive interception attack, and couldn't be attacked in this
way. Certificate protected DH is still vulnerable to an active MitM if
someone has a copy of the server's private key.
However, the huge bulk of connections use the RSA cipher specs which _are_
vulneranble to the attack you describe. Looking at it in this light, I am
trying to work out why the implementors chose this construction (sending the
PMS simply encrypted with the server cert) instead of "one side signed"
Diffie Hellman, like IPSec-IKE, which would have obviated the passive
sniffing attack. Does anyone know?
firewall-wizards mailing list