Re: Humorous anti-SSL PR

2004-07-28 Thread Zooko
Eric:
On 2004, Jul 15, , at 17:55, Eric Rescorla wrote:
There are advantages to message-oriented
security (cf. S-HTTP) but this doesn't seem like a very convincing
one.
Could you please elaborate on this, or refer me to a document which 
expresses your views?  I just read [1] in search of such ideas, but I 
have not yet read your book on TLS.

Thanks,
Zooko
[1] http://www.terisa.com/shttp/current.txt
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Humorous anti-SSL PR

2004-07-15 Thread J Harper
This barely deserves mention, but is worth it for the humor:
Information Security Expert says SSL (Secure Socket Layer) is Nothing More
Than a Condom that Just Protects the Pipe
http://www.prweb.com/releases/2004/7/prweb141248.htm

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Humorous anti-SSL PR

2004-07-15 Thread Eric Rescorla
J Harper [EMAIL PROTECTED] writes:

 This barely deserves mention, but is worth it for the humor:
 Information Security Expert says SSL (Secure Socket Layer) is Nothing More
 Than a Condom that Just Protects the Pipe
 http://www.prweb.com/releases/2004/7/prweb141248.htm

What's wrong with a condom that protects the pipe? I've used
condoms many times and they seemed to do quite a good job
of protecting my pipe.

-Ekr

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Humorous anti-SSL PR

2004-07-15 Thread Ian Grigg
J Harper wrote:
This barely deserves mention, but is worth it for the humor:
Information Security Expert says SSL (Secure Socket Layer) is Nothing More
Than a Condom that Just Protects the Pipe
http://www.prweb.com/releases/2004/7/prweb141248.htm
I guess the intention was to provide more end-to-end
security for transaction data.  After a reasonable start,
if a bit scattered, it breaks down with this:
What we can be certain of is that it is not possible
to have a man-in-the-middle attack with FormsAssurity
 encryption ensures that the form has really come from
the claimed web site, the form has not been altered,
and the only person that can read the information
filled in on the form is the authorized site.
Which is quite inconsistent - so much so that it seems
that the press release writer got confused over which
system he or she was talking about.
iang
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Humorous anti-SSL PR

2004-07-15 Thread Anton Stiglic

This barely deserves mention, but is worth it for the humor:
Information Security Expert says SSL (Secure Socket Layer) is Nothing More
Than a Condom that Just Protects the Pipe
http://www.prweb.com/releases/2004/7/prweb141248.htm

The article says
The weaknesses of SSL implementations have been well known amongst security
professionals, but their argument has been that SSL is the best tool
currently on offer. The fact that it can be spoofed and is open to man in
the middle attacks is played down.

O.k., so if there is a vulnerability in a particular implementation there
might be a possible MITM attack.  Also possible to do MITM if user doesn't
do proper verification.  But I wouldn't say that SSL implementations in
general are suspect to MITM attacks.
Later in the article it is written:

What we can be certain of is that it is not possible to have a
man-in-the-middle attack with FormsAssurity - encryption ensures that the
form has really come from the claimed web site, the form has not been
altered, and the only person that can read the information filled in on the
form is the authorized site.

O.k., so how do they achieve such assurances?

Eric's comment about condoms being effective is right, so bad analogy as
well!

--Anton



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Humorous anti-SSL PR

2004-07-15 Thread John Denker
J Harper [EMAIL PROTECTED] wrote:

This barely deserves mention, but is worth it for the humor:
Information Security Expert says SSL (Secure Socket Layer) is Nothing More
Than a Condom that Just Protects the Pipe
http://www.prweb.com/releases/2004/7/prweb141248.htm
To which Eric Rescorla replied:
What's wrong with a condom that protects the pipe? I've used
condoms many times and they seemed to do quite a good job
of protecting my pipe.
The humor just keeps on coming.  It's always amusing to
see an invocation of the principle that I've tried it
on several occasions and it seemed to work, therefore
it must be trustworthy.
What's wrong with this depends, as usual, on the threat
model.  Sometimes it is wise to consider other parts
of the system (not just the pipe) in the threat model.
If we set you up on a blind date with an underfed grizzly,
you might find that protecting your pipe with a condom
doesn't solve all your problems.
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]