Re: Is encryption over RCP possible?

The protocol self seems to be pretty save. But with webapplications you have the problem that the algorithm using that protcol is written in javascript. Therefore, you must guard this JS via SSL or it can be manipulated (e.g. send de password in plaintext to mallory). In my opinion the performance

Re: Is encryption over RCP possible?

I just came across the Secure Remote Password protocol (http:// srp.stanford.edu/). To reduce the TLS/SSL load on the server, one could create accounts/pwd (and perform commercial transactions) using HTTPS, and carry on with SRP later. It would make encryption over RCP possible and lighter, while r

Re: Is encryption over RCP possible?

I don't say it's impossible to forgery a certificate. But I refered to the stored certificates (that should be valid). The problem is when a CA signs a invalid certificate - I didn't assume that. If's a big Problem, that you don't have the control whether a CA signs a certificate for your domain n

Re: Is encryption over RCP possible?

For those who are interested in the weaknesses of SSL/TLS, here is more information: - http://code.google.com/p/littleblackbox/wiki/FAQ - http://www.thoughtcrime.org/software/sslsniff/ -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To po

Re: Is encryption over RCP possible?

On Dec 16, 9:15 am, Basdl wrote: > Concerning your conclusion, that root certificates stored in browsers > where no pre-established secrets, I have a notice: > The certificates itself where public but the server knows the > corresponding secret key. > So he can sign something and the client can va

Re: Is encryption over RCP possible?

On Dec 15, 6:46 pm, Sripathi Krishnan wrote: > Explain me how Mallory can put in a fake/invalid/duplicate/whatever SSL > certificate when Alice and Bob are communicating. Mallory can start a C.A. business, like Go Daddy does. It would get its certificate from Verizon and then crafts its own certi

Re: Is encryption over RCP possible?

In the linked articel there is described that the SSL was striped out. This is not possible if the client requests a https-URL (like https://mybank.example.com). If he calls http://mybank.example.com tha attack is possible even if the bank would redirect to https. The attacker just doesn't have to

Re: Is encryption over RCP possible?

Fair enough I have to say I have not seen that article before, interesting though... Anyway, see why I say use both: UNSECURE -> CERT. EXCHANGE -> CERT. VERIF -> KEY NEGOTIATION -> SECURE EXCHANGE -> JS TRANSFER -> CERT. EXCHANGE -> CERT. VERIF -> KEY NEGOTIATION -> SECURE EXCHANGE -> LOGIN FORM

Re: Is encryption over RCP possible?

Explain me how Mallory can put in a fake/invalid/duplicate/whatever SSL certificate when Alice and Bob are communicating. 1. Mallory can create a fake certificate and present it to Alice; but when Alice verifies the cert with Trent (ie. Verisign) she will catch the MITM 2. Mallory can

Re: Is encryption over RCP possible?

Hi Rob, On Dec 15, 9:39 am, Rob Coops wrote: > Lets sum this up nice and quick... > >    - SSL/TLS uses certificates and is according to most as save as it gets >    - MITM attacks can and do happen, they could theoretically even mess with >    SSL/TLS communication >    - SSL/TLS MITM attacks ha

Re: Is encryption over RCP possible?

Lets sum this up nice and quick... - SSL/TLS uses certificates and is according to most as save as it gets - MITM attacks can and do happen, they could theoretically even mess with SSL/TLS communication - SSL/TLS MITM attacks have to the best of my knowledge not been seen in the re

Re: Is encryption over RCP possible?

@UseTheFork I agree with Sri that SSL/TLS is the best you can do. When using SSL/TLS you can force your application to use encryption (e.g. showing a login page if a request comes via http or automatically redirect). Therefore, Mallory can't just modify the protokoll from https to http. The clie

Re: Is encryption over RCP possible?

Hi Sri, On Dec 13, 11:00 pm, Sripathi Krishnan wrote: > @UseTheFork > We have had similar discussions on the web security mailing lists. Here is a > relevant discussion > thread. > Short summary is that SSL/TLS has its limi

Re: Is encryption over RCP possible?

@UseTheFork We have had similar discussions on the web security mailing lists. Here is a relevant discussion thread. Short summary is that SSL/TLS has its limitations, but thats the best you can do. There are ways to get arou

Re: Is encryption over RCP possible?

On 12/13/2010 01:27 PM, UseTheFork wrote: > Hi Chris, > > On Dec 13, 5:14 pm, Chris Conroy wrote: >> Please do not try to implement encryption yourself on the client side. This >> is a fundamentally flawed idea. You will definitely not be doing anyone >> (other than Eve) a service. > > Thanks fo

Re: Is encryption over RCP possible?

Hi Chris, On Dec 13, 5:14 pm, Chris Conroy wrote: > Please do not try to implement encryption yourself on the client side. This > is a fundamentally flawed idea. You will definitely not be doing anyone > (other than Eve) a service. Thanks for the advice, but I'll do it anyway. I have been readin

Re: Is encryption over RCP possible?

Please do not try to implement encryption yourself on the client side. This is a fundamentally flawed idea. You will definitely not be doing anyone (other than Eve) a service. SSL/TLS are secure since every OS ships with a set of certs that it trusts. If you need security for your application, thi

Re: Is encryption over RCP possible?

Hi Sripathi, Thanks for your feedback. I have been googling a little... On Dec 13, 9:14 am, Sripathi Krishnan wrote: > > Hi, > > > I am newbie to GWT and I am trying to find the best way to communicate > > a password from a GWT application's client-side to a server's-side > > service without usi

Re: Is encryption over RCP possible?

> > Hi, > > I am newbie to GWT and I am trying to find the best way to communicate > a password from a GWT application's client-side to a server's-side > service without using SSL. Of course, I am thinking about account > creation and login issues. We don't want Eve and Malory to fiddle with > the

Is encryption over RCP possible?

Hi, I am newbie to GWT and I am trying to find the best way to communicate a password from a GWT application's client-side to a server's-side service without using SSL. Of course, I am thinking about account creation and login issues. We don't want Eve and Malory to fiddle with the communication.