Thread: Can SSL sessions be compromised?
View Single Post
  #10 (permalink)  
Old 04-06-2007, 05:14 PM
Anne & Lynn Wheeler
Guest
  
Posts: n/a
Default Re: Can SSL sessions be compromised?
comphelp@toddh.net (Todd H.) writes:
> MITM, is indeed relatively simple with SSL.
>
> The silly post I replied which you trimmed implied weakness in the
> encryption, which if it actually exists must be a compromise that is
> very tightly held.

re:
http://www.garlic.com/~lynn/2007g.html#32 Can SSL sessions be compromised?
http://www.garlic.com/~lynn/2007g.html#38 Can SSL sessions be compromised?
http://www.garlic.com/~lynn/2007g.html#58 Can SSL sessions be compromised?

note that SSL is fairly, large, complex, expensive infrastructure to
deploy with the certification authorities, PKIs, digital certificates,
etc ... all primarily addressed at the part of SSL directed at
preventing things like MITM-attacks.

the encryption part, by comparison, is much more reliable and trusted.
however, there are much simpler and less expensive ways to do such
encryption (if you weren't trying for MITM countermeasures).

to make the situation even more interesting ... there have been numerous
discussions about the period when SSL was introduced ... that there
actually hadn't been any known fraud from evesdropping attacks
(listening to unencrypted transmissions) ... but there numerous
situations where fraud resulted in all kinds of end-point attacks and
MITM-attacks.

as a result, the evesdropping countermeausres (i.e. the encryption) was
possibly the least needed ... while the MITM and end-point protections
were the most needed. The additional, very expensive and very complexity
in SSL was in large part justified as being countermeasures to the much
more prevalent vulnerabilities (not the encryption for the evesdropping
countermeasures).

however, all that additional complexity and very expensive
infrastructure appears to have provided little additional security in
the form of effective countermeasures to numerous kinds of MITM and
end-point attacks.

i would contend that the encryption part of SSL is by far and away the
more secure part of SSL ... and also possibly the least needed ... in
terms of countermeasures to prevalent attacks (before the introduction
of SSL).

the counter argument is that once SSL had been deployed ... that since
the encrypted/transmission part has by far and away the highest level of
security ... that then the attackers go after the weakest points ... the
MITM and end-point attacks

lots of past posts mentioning SSL
http://www.garlic.com/~lynn/subpubkey.html#sslcert

Reply With Quote