WebApp Sec mailing list archives
RE: Idea for making SSL more efficient
From: "Michael Howard" <mikehow () microsoft com>
Date: Fri, 16 Jul 2004 13:41:18 -0700
It'd be interesting to benchmark this before making perf claims! :) [Writing Secure Code 2nd Ed] http://www.microsoft.com/mspress/books/5957.asp [Protect Your PC] http://www.microsoft.com/protect [Blog] http://blogs.msdn.com/michael_howard -----Original Message----- From: Frank O'Dwyer [mailto:fod () littlecatZ com] Sent: Friday, July 16, 2004 1:16 PM To: Michael Howard Cc: Paul Johnston; webappsec () securityfocus com Subject: Re: Idea for making SSL more efficient It is incorrect to say that the integrity check is weak - as providing that the HTML containing the hash was itself delivered over SSL (which is clearly Paul's intention, as he says the original page is "https"), then the integrity of the hash is itself strongly protected. It is true that it is only an integrity check but (as Paul also pointed out) many images aren't confidential.. It's actually an ingenious idea, and could be used for more than just images (e.g. large downloads, links of any kind). However the main difficulty I see with it is that browsers would have to be modified handle the new IMG attribute. Having said that, browsers that didn't would likely ignore it, so with a little extra markup it could probably still be made to work (think of browsers that understand javascript versus those that don't). You'd have to ensure that the link that unmodified browsers saw was still https. Server-side, it would be pretty easy to automatically pre-compute these hashes and insert them in the HTML, too. Most servers have some mechanism for modifying the result stream. The performance win from reduced traffic seems likely to be considerable, too (SSL is not as slow as its painted, but it does expand traffic, and as Paul noted it prevents caching). Cheers, Frank Michael Howard wrote:
SSL provides many security features, including authentication,
integrity
checking and confidentiality. This solution provides only an integrity check, and weak one at that - only a hash, not a MAC. So what threat(s) concern you? [Writing Secure Code 2nd Ed] http://www.microsoft.com/mspress/books/5957.asp [Protect Your PC] http://www.microsoft.com/protect [Blog] http://blogs.msdn.com/michael_howard -----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Thursday, July 15, 2004 2:12 AM To: webappsec () securityfocus com Subject: Idea for making SSL more efficient Hi, A disadvantage with SSL is that it places increased load on the server,
in particular because client's ISP caches cannot be used. In most situations the images on an SSL site are not confidential. If they are included as HTTP links then the browser will display a "mixture of secure and insecure content" warning. That is sensible, because an attacker could potentially manipulate the images to deceive the user. My idea is to include a MD5 hash of the image in the img tag, so in an https page you could do <img src="http://x.y.z/a.png" md5="xyz789"/> to
reference an HTTP image. Images protected by these integrity checks would then not cause a browser warning. I expect roll-out would not be easy, and also there may be concerns about infering what is on the SSL page from what images are requested (e.g. whether "overdrawn.png" gets requested). Anyone got thoughts on this? Paul
Current thread:
- Idea for making SSL more efficient Paul Johnston (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- RE: Idea for making SSL more efficient V. Poddubnyy (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- <Possible follow-ups>
- RE: Idea for making SSL more efficient Scovetta, Michael V (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 16)
- Re: Idea for making SSL more efficient Jason Coombs PivX Solutions (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)