What you're basically saying is that if someone can sniff packets, and
brute force their way into decrypting the information, is their
data safe, and is this a possible scenario.
No, their data won't be safe. Yes, this is possible. There are
plenty of studies that have shown how much computing power it
will take to break a particular cipher. That's why some
organizations adopt ciphers such as 128 bit (if you can get
a server supporting them) that can't be broken by brute
force.
Thomas
Stephan Bauer wrote:
>
> Hi,
>
> I would enjoy hearing some opinions on the following
> potential scenario :
>
> The SSL-Client does no client-auth. and has to transmit
> one string, that contains security-sensitive data.
> Let's think of a man-in-the-middle you leaves through
> the handshake-packets, but blocks the data-packets.
> He then performs a brute-force-attack on the sent data,
> and opens a completely new SSL-Connection with the server,
> transmitting the data, that the server expects to receive
> from the one real client.
>
> I know, with client-auth. you could avoid this, but some
> customers of our solution might not be able to configure
> their server for client-auth. So how realistic do
> you think this to be ?
>
> Thanks,
>
> Stephan
> --------------------------
> Tel : +49 89 92699114
> Fax : +49 89 92699226
> mail: [EMAIL PROTECTED]
> www : http://www.ecrc.de
>
> Cable & Wireless ECRC GmbH
> --------------------------
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
