On Thu, Apr 10, 2014 at 06:16:33PM -0700, Wim Lewis wrote:
> But if you're using TLS at all, then presumably this is because
> the TCPIP network over which TLS is running is potentially insecure
> in some way (e.g., it's the open internet); an attacker with the
> ability to send packets on that layer could start making TLS
> connections and extracting data even with no knowledge of your
> proprietary protocol. If you are in a situation where you are only
> concerned about purely passive eavesdroppers on that connection,
> though, then I believe you are safe.
Lack of concern for MiTM attacks is quite different from lack of
concern about possible connections to the server from malicious
clients that are not in the middle of protected connections.
Even using SSL only against passive attacks on legitimate connections,
one has to take care of security issues that can be exploited by
hostile clients. It is very unlikely that the OP can this one out.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
