Re: [fw-wiz] Firewall best practices

From my memory banks...

In the early days of the Internet there were two competing proposals to
allow secure transmission of data between two entities that did not know
eachother (no way to build trust exchange encryption keys and params) HTTPS
(aka SSL) SHTTP (aka Secure HTTP)

It is no coincidence that SSL was adopted given that Netscape was the
primary Wenserver in those days. At least that is what the ISP I was at
used in the 1990's. I personally thought SHTTP was a better at least on

SSL has been plagued with implementation problems for years. On top of the
implementation problems comes that fact that the trust is only good as the
signing CA AND what is in your browser. Beyond that a simple click by the
users can totally topple the entire trust hierarchy - oh well. And don't
forget that and virus can slide in a CA certificate into your browser - I
have written code that will slide a CA certificate into the broswer CA store
silently. Want to get scared, look at the list of CA's, Internediate
signers, etc. in your broswers certificate store.

No love for Verisign here, indeed I have questioned some of there practices.
They seem to really like to make money.

That being said SSL for good or bad helped facilitate E-Commerce for good or
bad. It is ubiquitous today.


"With all due respect to Paul and Marcus, SSL is NOT crappy! Most bugs
are implementation induced (openSSH or other less known) and the most
known SSL strip vulnerability is not a problem of SSL but rather a user
awareness issue, because if everyone payed attention to the 's' in https
on their browser, that attack wouldn't be so troublesome."

firewall-wizards mailing list