Re: Security of HTTPS

[Ng Pheng Siong <ngps () netmemetic com>]

On Sun, Nov 28, 2004 at 10:43:47AM -0600, Frank Knobbe wrote:
> That issue is something I have on my mind ever since Michael Warfields
> discussion about this in Focus-IDS. I'd like to remember that issue for
> comparisons between SSL VPNs with other type of VPNs (IPSec or SSH) as
> these do not have the same ...uhm... weakness. 

I'm assuming the issue you refer to here is the client's generating the
premaster secret during SSL handshaking, instead of using some kind of
keying material supplied by the server.

Is the Michael Warfields discussion entitled "SSL and IPS" and dated about
24 Jun 2004? I just skimmed that one very quickly: it seemed to be talking
about an IDS watching traffic over the wire, not a proxy doing MITM
actively and generating "pretend" certs on the fly.

> I still think people put too much stock in SSL VPNs.

SSL VPNs give you security without compromising convenience! Woo-hoo!

;-)

-- 
Ng Pheng Siong <ngps () netmemetic com> 

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards