WebApp Sec mailing list archives
RE: Idea for making SSL more efficient
From: "Michael Howard" <mikehow () microsoft com>
Date: Fri, 16 Jul 2004 09:56:01 -0700
SSL provides many security features, including authentication, integrity checking and confidentiality. This solution provides only an integrity check, and weak one at that - only a hash, not a MAC. So what threat(s) concern you? [Writing Secure Code 2nd Ed] http://www.microsoft.com/mspress/books/5957.asp [Protect Your PC] http://www.microsoft.com/protect [Blog] http://blogs.msdn.com/michael_howard -----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Thursday, July 15, 2004 2:12 AM To: webappsec () securityfocus com Subject: Idea for making SSL more efficient Hi, A disadvantage with SSL is that it places increased load on the server, in particular because client's ISP caches cannot be used. In most situations the images on an SSL site are not confidential. If they are included as HTTP links then the browser will display a "mixture of secure and insecure content" warning. That is sensible, because an attacker could potentially manipulate the images to deceive the user. My idea is to include a MD5 hash of the image in the img tag, so in an https page you could do <img src="http://x.y.z/a.png" md5="xyz789"/> to reference an HTTP image. Images protected by these integrity checks would then not cause a browser warning. I expect roll-out would not be easy, and also there may be concerns about infering what is on the SSL page from what images are requested (e.g. whether "overdrawn.png" gets requested). Anyone got thoughts on this? Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Idea for making SSL more efficient Paul Johnston (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- RE: Idea for making SSL more efficient V. Poddubnyy (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- <Possible follow-ups>
- RE: Idea for making SSL more efficient Scovetta, Michael V (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 16)
- Re: Idea for making SSL more efficient Jason Coombs PivX Solutions (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)