Re: Humorous anti-SSL PR
Eric: On 2004, Jul 15, , at 17:55, Eric Rescorla wrote: There are advantages to message-oriented security (cf. S-HTTP) but this doesn't seem like a very convincing one. Could you please elaborate on this, or refer me to a document which expresses your views? I just read [1] in search of such ideas, but I have not yet read your book on TLS. Thanks, Zooko [1] http://www.terisa.com/shttp/current.txt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Humorous anti-SSL PR
This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Humorous anti-SSL PR
J Harper [EMAIL PROTECTED] writes: This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm What's wrong with a condom that protects the pipe? I've used condoms many times and they seemed to do quite a good job of protecting my pipe. -Ekr - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Humorous anti-SSL PR
J Harper wrote: This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm I guess the intention was to provide more end-to-end security for transaction data. After a reasonable start, if a bit scattered, it breaks down with this: What we can be certain of is that it is not possible to have a man-in-the-middle attack with FormsAssurity encryption ensures that the form has really come from the claimed web site, the form has not been altered, and the only person that can read the information filled in on the form is the authorized site. Which is quite inconsistent - so much so that it seems that the press release writer got confused over which system he or she was talking about. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Humorous anti-SSL PR
This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm The article says The weaknesses of SSL implementations have been well known amongst security professionals, but their argument has been that SSL is the best tool currently on offer. The fact that it can be spoofed and is open to man in the middle attacks is played down. O.k., so if there is a vulnerability in a particular implementation there might be a possible MITM attack. Also possible to do MITM if user doesn't do proper verification. But I wouldn't say that SSL implementations in general are suspect to MITM attacks. Later in the article it is written: What we can be certain of is that it is not possible to have a man-in-the-middle attack with FormsAssurity - encryption ensures that the form has really come from the claimed web site, the form has not been altered, and the only person that can read the information filled in on the form is the authorized site. O.k., so how do they achieve such assurances? Eric's comment about condoms being effective is right, so bad analogy as well! --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Humorous anti-SSL PR
J Harper [EMAIL PROTECTED] wrote: This barely deserves mention, but is worth it for the humor: Information Security Expert says SSL (Secure Socket Layer) is Nothing More Than a Condom that Just Protects the Pipe http://www.prweb.com/releases/2004/7/prweb141248.htm To which Eric Rescorla replied: What's wrong with a condom that protects the pipe? I've used condoms many times and they seemed to do quite a good job of protecting my pipe. The humor just keeps on coming. It's always amusing to see an invocation of the principle that I've tried it on several occasions and it seemed to work, therefore it must be trustworthy. What's wrong with this depends, as usual, on the threat model. Sometimes it is wise to consider other parts of the system (not just the pipe) in the threat model. If we set you up on a blind date with an underfed grizzly, you might find that protecting your pipe with a condom doesn't solve all your problems. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
