WebApp Sec mailing list archives
RE: Idea for making SSL more efficient
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Fri, 16 Jul 2004 11:15:24 -0400
Paul, Interesting idea, since it would in theory guarantee the integrity of the image, but just a few comments: 1. No one is going to want to precompute image hashes and put them into HTML 2. Is SSL *really* that much of a load on server? I know it used to be, but now it uses symmetric key 3. Wouldn't it be easier for the user to disable the warning message on the browser? They'd have to anyway in your scheme. 4. What's *really* the danger of someone MITMing you, waiting for your "Google" logo to come across, and replacing it with their HaX0rZ image? I'm sure someone can think of a situation where image integrity is very important, but in such situations, would the load on SSL really make a difference? 5. If someone is MITMing you, they can replace <img src="foo.gif" md5="abc123"/> With <img src="http://malware.com/foo.gif" md5="dfaab1"/> In which case you haven't gained anything. Even SSL can be MITMed, and unless you check the server certificate each time, you never really know. Mike Michael Scovetta Computer Associates Senior Application Developer tel: +1 631 342 3139 cell: +1 813 727 5772 michael.scovetta () ca com
-----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Thursday, July 15, 2004 5:12 AM To: webappsec () securityfocus com Subject: Idea for making SSL more efficient Hi, A disadvantage with SSL is that it places increased load on the
server,
in particular because client's ISP caches cannot be used. In most situations the images on an SSL site are not confidential. If they are included as HTTP links then the browser will display a "mixture of secure and insecure content" warning. That is sensible, because an attacker could potentially manipulate the images to deceive the user. My idea is to include a MD5 hash of the image in the img tag, so in an https page you could do <img src="http://x.y.z/a.png" md5="xyz789"/>
to
reference an HTTP image. Images protected by these integrity checks would then not cause a browser warning. I expect roll-out would not be easy, and also there may be concerns about infering what is on the SSL page from what images are requested (e.g. whether "overdrawn.png" gets requested). Anyone got thoughts on this? Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Idea for making SSL more efficient Paul Johnston (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- RE: Idea for making SSL more efficient V. Poddubnyy (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- <Possible follow-ups>
- RE: Idea for making SSL more efficient Scovetta, Michael V (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 16)
- Re: Idea for making SSL more efficient Jason Coombs PivX Solutions (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)