Firewall Wizards mailing list archives
RE: Security of HTTPS
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 23 Nov 2004 09:24:45 +0100
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Alex Bihlmaier
[...]
I am curious how strong the security of https can be.
I don't know if this is a troll. If you're some super advanced crypto-protocol guy trying to send a minimalist email, I may have been fooled.
Is there some possibility of a MITM attack?
No. (Well..... Yes.) HTTPS relies on SSL / TLS. One of the three fundamental design goals[1] for TLS is: " The negotiation is reliable: no attacker can modify the negotiation communication without being detected by the parties to the communication." There are, sadly, still a lot of possible ways to introduce a MitM attack - almost all of these rely on browser bugs (not an SSL problem), the stupidness of the "trusted third party" model typified by commercial Certification Authorities (not really an SSL problem either), or total mis-use of the protocol to ignore server authentication (nobody does that although it is supported in theory). Basically, the model is fine, but the implementation is often sloppy enough to allow strange things to happen. The fact that most users are now trained to ignore certificate error warnings doesn't help.
Are there any papers out there outlining this aspect of security?
Start with the SSL spec. [2] Then read the TLS RFC [1]. You might also try a FAQ like this one [3] which includes links through to higher level summaries. Cheers, ben [1] http://www.faqs.org/rfcs/rfc2246.html [2] http://wp.netscape.com/eng/ssl3/draft302.txt [3] http://www.faqs.org/faqs/computer-security/ssl-talk-faq/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Security of HTTPS Alex Bihlmaier (Nov 22)
- RE: Security of HTTPS Ben Nagy (Nov 23)
- RE: Security of HTTPS Marcus J. Ranum (Nov 27)
- RE: Security of HTTPS Alex Bihlmaier (Nov 27)
- Re: Security of HTTPS Chuck Vose (Nov 27)
- RE: Security of HTTPS Marcus J. Ranum (Nov 27)
- RE: Security of HTTPS lordchariot (Nov 27)
- RE: Security of HTTPS Frank Knobbe (Nov 27)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- Re: Security of HTTPS Frank Knobbe (Nov 28)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- Re: Security of HTTPS Frank Knobbe (Nov 28)
- RE: Security of HTTPS Frank Knobbe (Nov 27)
- RE: Security of HTTPS Ben Nagy (Nov 23)