Full Disclosure mailing list archives
Re: Five Ways to Screw Up SSL
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 22 May 2006 07:43:47 +0200
* Michal Zalewski:
SSL Mistake #2 - Assuming a signed certificate is the right certificateI don't understand what you're trying to say here: it seems to me that you're suggesting that allowing all users with a valid certificate the same privileges is a bad idea. Probably, but this has little to do with certificates or SSL - the same may be true for passwords or any other scheme.
There are some APIs in wide use which encourage this kind of misuse (authenticate the CA, not the certificate holder) because doing it right is somewhat difficult or allegedly has a performance impact (copying the entire certificate to an environment variable, for example).
SSL Mistake #3 - Falling back to TCP
You are very, very seriously confused about the relation between SSL, TCP, and just about everything else.
Fallback to non-encrypted connections is quite common for protocols like SMTP and IMAP. I doubt this is a significant issue. Protection against passive eavesdropping is better than no protection at all. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re[2]: Five Ways to Screw Up SSL, (continued)
- Re[2]: Five Ways to Screw Up SSL Thierry Zoller (May 21)
- Re: Re[2]: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 22)
- Re: Five Ways to Screw Up SSL Valdis . Kletnieks (May 22)
- Re: Five Ways to Screw Up SSL Brian Dessent (May 22)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Brian Eaton (May 23)
- Re: Five Ways to Screw Up SSL Dude VanWinkle (May 23)
- Re: Five Ways to Screw Up SSL Michael Holstein (May 22)