[EMAIL PROTECTED] wrote:
> Being a little picky here - but SSL does not prevent sniffing. The
> encrypted data that can
> be sniffed has to be decrypted to be of any use. Provided you have a
> "strong" algorithm
> and a sufficient encryption level to make a brute-force attack futile (40
> or 56 bit would not
> be sufficient), the data should not be able to be decrypted. Just my two
> cents.
Side note (adding to what you said):
SSL traffic can be sniffed. The sniffer just gets encrypted traffic. The sniffer can
then decide to cryptanalyse or brute-force
the packets (cryptanalysis better because of known/guessable header contents in
starting packets) at their leisure. If your data
is sensitive enough (SSN's should come to mind), the amount of time to brute-force a
standard SSL connection (even a "high"
security one) shouldn't be considered good enough. If your attacker cares to and
captures all of your users' traffic for two
years and spends 10 years in the background cracking it all, they may have information
that was worth the wait (especially if
they're selling identity changes, etc.).
SSL's encryption strength needs to be severely re-thought in light of current uses and
future uses of encrypted web traffic.
--
Michael T. Babcock (PGP: 0xBE6C1895)
http://www.fibrespeed.net/~mbabcock/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
