Re: [fw-wiz] Firewall best practices




From my memory banks...

In the early days of the Internet there were two competing proposals to
allow secure transmission of data between two entities that did not know
eachother (no way to build trust exchange encryption keys and params) HTTPS
(aka SSL) SHTTP (aka Secure HTTP)

It is no coincidence that SSL was adopted given that Netscape was the
primary Wenserver in those days. At least that is what the ISP I was at
used in the 1990's. I personally thought SHTTP was a better at least on
paper.

SSL has been plagued with implementation problems for years. On top of the
implementation problems comes that fact that the trust is only good as the
signing CA AND what is in your browser. Beyond that a simple click by the
users can totally topple the entire trust hierarchy - oh well. And don't
forget that and virus can slide in a CA certificate into your browser - I
have written code that will slide a CA certificate into the broswer CA store
silently. Want to get scared, look at the list of CA's, Internediate
signers, etc. in your broswers certificate store.

No love for Verisign here, indeed I have questioned some of there practices.
They seem to really like to make money.

That being said SSL for good or bad helped facilitate E-Commerce for good or
bad. It is ubiquitous today.


ajm


"With all due respect to Paul and Marcus, SSL is NOT crappy! Most bugs
are implementation induced (openSSH or other less known) and the most
known SSL strip vulnerability is not a problem of SSL but rather a user
awareness issue, because if everyone payed attention to the 's' in https
on their browser, that attack wouldn't be so troublesome."


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Publish SSL Web Server behind SBS2003
    ... How to configure a certificate for use with a Web publishing rule in ISA ... RWW/OWA for SSL encryption. ... and "abc.domain.com" on the ISP's DNS Server. ... In the Internet Information Services Manager console, ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet Wont let me into secured sites
    ... test your ability to connect to SSL sites using these SSL tests: ... Verify that Internet Explorer Is Using 128-Bit Encryption: ... Verify that the Date and Time Settings on Your Computer Are Correct: ...
    (microsoft.public.windowsxp.general)
  • RE: Setting up SSL for webmail
    ... In addition this is on the internal IP of the server I ... Valid SSL Certificate Is Required When You ... Enable SSL for All Customers Who Interact ... >internet name of the Exchange server (the server that is ...
    (microsoft.public.exchange2000.general)
  • SBS 2008 -Setup Questions
    ... internet address in the Windows SBS console and what to make all the right ... Now when I go through the wizard which selection should I make? ... wizards and hit add a trusted certificate, which I have been talking to SSL ...
    (microsoft.public.windows.server.sbs)
  • Re: Internet Wont let me into secured sites
    ... test your ability to connect to SSL sites using these SSL tests: ... Verify that Internet Explorer Is Using 128-Bit Encryption: ... Verify that the Date and Time Settings on Your Computer Are Correct: ...
    (microsoft.public.windowsxp.general)