On Sat, Dec 02, 2000 at 12:22:50PM +0000, Ben Laurie wrote:
> Eric Murray wrote:
> >
> > On Sat, Dec 02, 2000 at 01:28:02AM +0800, Ng Pheng Siong wrote:
> > > On Thu, Nov 30, 2000 at 01:16:31PM -0800, Eric Murray wrote:
> > > > Either don't connect from a non-SSL client, or connect and negotiate
> > > > when to start SSL. The former is prefered.
> > >
> > > Eh? I'd imagine "the latter is preferred"?
> >
> > My reasoning is that an active attacker could change the bytes in
> > the insecure protocol to silently prevent it from negotiating to SSL.
> > If your protocol only works under SSL, then that's not possible.
>
> The IETF doesn't agree.
I know. I'm was a co-author of an IETF draft (ftp-ssl) for adding
SSL inside FTP. I think that approach makes sense for adding
SSL to existing protocols.
However the original poster was talking about a not-standard custom
protocol. For that sort of thing it's simpler to do everything inside SSL.
--
Eric Murray Consulting Security Architect SecureDesign LLC
http://www.securedesignllc.com PGP keyid:E03F65E5
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
