Re: IPSec vs. SSL
From: UncleStoner (unclestoner_at_hotmail.com)
Date: 05/19/04
- Next message: kurt wismer: "Re: What is the difference between a worm and a trojan ?"
- Previous message: Bruce Barnett: "Re: Why does Windows allow Worms?"
- In reply to: Juha Laiho: "Re: IPSec vs. SSL"
- Next in thread: Leythos: "Re: IPSec vs. SSL"
- Reply:(deleted message) Leythos: "Re: IPSec vs. SSL"
- Reply: Lassi Hippeläinen: "Re: IPSec vs. SSL"
- Reply: Alun Jones [MS MVP - Security]: "Re: IPSec vs. SSL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 19 May 2004 07:00:41 -0700
Thanks for your reply Juha.
You've verified the advantages I suspsected IPSec had over SSL, which
are just a result of the fact that it's lower down in the network
stack.
If we assume that IPSec does offer authentication (which you
tentatively suggest it does, and anyway even if it currently doesn't a
future revision could certainly include it), then:
What is the point of SSL? Why not just get rid of it and use IPSec
instead?
- If you want to secure _all_ traffic to and from a machine (as in
your company-labtop-from-home example), then the machine just has to
be configured (at an OS level) to send/receive only IPSec packets (as
is the case today).
- If you want to allow both secured and unsecured traffic (for
instance a web site that has some secured parts, or for that matter a
web browser that sometimes goes to secured web sites and sometimes to
unsecured web sites), then the machine-wide configuration would _not_
be required to send/receive only IPSec packets. Rather, whether or
not to use IPSec would be the choice of the individual applications,
via the sockets interface. **This isn't any more insecure than using
SSL for some but not all connections**. If you want to secure all
traffic to and from a machine, don't do this.
Basically, there isn't any reason (that I can see) that the IPSec
protocol could not be used
- to completely secure a computer from sending unencrypted data and
accepting unauthenticated communication
- OR as a generic client/server solution.
depending on the configuration. Of course it can't do both at the
same time on the same machine...but at least we would only have one
protocol to study and understand and improve.
And on a fun note: I recently unearthed some letters from my
great-grandfather who immigrated to the US from Oulu after WWI I
believe. They were quite interesting for two reasons. They were
written in the years around WWII, and it was fascinating to feel how
conflicted he was about the alliance between his new country and the
Soviet Union. Unlike a lot of other Americans, he had no illusions
about Stalin for obvious reasons. Secondly, he spoke English well
enough but had never learned the spelling, so he spelled everything
phonetically. It was difficult to read until I started speaking the
words out loud...I was talking with a thick Finnish accent! Pretty
eerie since he was dead decades before I was born.
- Next message: kurt wismer: "Re: What is the difference between a worm and a trojan ?"
- Previous message: Bruce Barnett: "Re: Why does Windows allow Worms?"
- In reply to: Juha Laiho: "Re: IPSec vs. SSL"
- Next in thread: Leythos: "Re: IPSec vs. SSL"
- Reply:(deleted message) Leythos: "Re: IPSec vs. SSL"
- Reply: Lassi Hippeläinen: "Re: IPSec vs. SSL"
- Reply: Alun Jones [MS MVP - Security]: "Re: IPSec vs. SSL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
