RE: Security of HTTPS

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Alex Bihlmaier
[...]
> I am curious how strong the security of https can be.

I don't know if this is a troll. If you're some super advanced
crypto-protocol guy trying to send a minimalist email, I may have been
fooled.

> Is there some possibility of a MITM attack?

No.

(Well..... Yes.)

HTTPS relies on SSL / TLS. One of the three fundamental design goals[1] for
TLS is:

" The negotiation is reliable: no attacker can modify the 
negotiation communication without being detected by the 
parties to the communication."

There are, sadly, still a lot of possible ways to introduce a MitM attack -
almost all of these rely on browser bugs (not an SSL problem), the
stupidness of the "trusted third party" model typified by commercial
Certification Authorities (not really an SSL problem either), or total
mis-use of the protocol to ignore server authentication (nobody does that
although it is supported in theory). 

Basically, the model is fine, but the implementation is often sloppy enough
to allow strange things to happen. The fact that most users are now trained
to ignore certificate error warnings doesn't help.

> Are there any papers out there outlining this aspect of security?

Start with the SSL spec. [2] Then read the TLS RFC [1]. You might also try a
FAQ like this one [3] which includes links through to higher level
summaries.

Cheers,

ben

[1] http://www.faqs.org/rfcs/rfc2246.html
[2] http://wp.netscape.com/eng/ssl3/draft302.txt
[3] http://www.faqs.org/faqs/computer-security/ssl-talk-faq/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards