Firewall Wizards mailing list archives
Re: Security of HTTPS
From: Frank Knobbe <frank () knobbe us>
Date: Sun, 28 Nov 2004 10:43:47 -0600
On Sun, 2004-11-28 at 10:15, Ng Pheng Siong wrote:
In SSL/TLS, the client certificate request is optional, and its typical use, HTTPS, does not require client certificates, so there is no client public/private key here that can be used to "transfer encrypted key material".
Right. But even if client certificates are used, these are only used for authentication (signature check) and not for encryption during master-key negotiation. That issue is something I have on my mind ever since Michael Warfields discussion about this in Focus-IDS. I'd like to remember that issue for comparisons between SSL VPNs with other type of VPNs (IPSec or SSH) as these do not have the same ...uhm... weakness. I still think people put too much stock in SSL VPNs. Oh well... Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Security of HTTPS Alex Bihlmaier (Nov 22)
- RE: Security of HTTPS Ben Nagy (Nov 23)
- RE: Security of HTTPS Marcus J. Ranum (Nov 27)
- RE: Security of HTTPS Alex Bihlmaier (Nov 27)
- Re: Security of HTTPS Chuck Vose (Nov 27)
- RE: Security of HTTPS Marcus J. Ranum (Nov 27)
- RE: Security of HTTPS lordchariot (Nov 27)
- RE: Security of HTTPS Frank Knobbe (Nov 27)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- Re: Security of HTTPS Frank Knobbe (Nov 28)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- Re: Security of HTTPS Frank Knobbe (Nov 28)
- RE: Security of HTTPS Frank Knobbe (Nov 27)
- RE: Security of HTTPS Ben Nagy (Nov 23)
- Re: Security of HTTPS Kevin Sheldrake (Nov 28)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- <Possible follow-ups>
- RE: Security of HTTPS Jean-Denis Gorin (Nov 23)
- RE: Security of HTTPS Servie Platon (Nov 27)
- RE: Security of HTTPS Paul D. Robertson (Nov 27)
- Re: Security of HTTPS Kevin Sheldrake (Nov 27)
- RE: Security of HTTPS Servie Platon (Nov 27)