[114362] in cryptography@c2.net mail archive
Re: Fixing SSL (was Re: Dutch Transport Card Broken)
daemon@ATHENA.MIT.EDU (Thierry Moreau)
Thu Jan 31 12:54:32 2008
Date: Thu, 31 Jan 2008 10:08:55 -0500
From: Thierry Moreau <thierry.moreau@connotech.com>
To: =?UTF-8?B?UGhpbGlwcCBHw7xocmluZw==?= <pg@futureware.at>
CC: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <200801301125.05983.pg@futureware.at>
Philipp Gühring wrote:
> Hi,
>
>
>>SSL key distribution and management is horribly broken,
>>with the result that everyone winds up using plaintext
>>when they should not.
>
>
> Yes, sending client certificates in plaintext while claiming that SSL/TLS is
> secure doesn´t work in a world of phishing and identity theft anymore.
>
> We have the paradox situation that I have to tell people that they should use
> HTTPS with server-certificates and username+password inside the HTTPS
> session, because that´s more secure than client certificates ...
>
> Does anyone have an idea how we can fix this flaw within SSL/TLS within a
> reasonable timeframe, so that it can be implemented and shipped by the
> vendors in this century?
>
> (I don´t think that starting from scratch and replacing SSL makes much sense,
> since it´s just one huge flaw ...)
>
If I recall correctly, SSL was designed chronologically after ISO OSI
Network-Layer Security Protocol (yes, the official WAN was actually X.25
at one point) or Transport Layer Security Protocol, both in their
connection-oriented flavor, which used ideas originating from DecNET
designs (researcher names Tardo, Alagappan; I once had a patent number
in this thread of protocol engineering, but I lost it). Anyway, the key
point in these visionary ideas is that the D-H exchange occurs *before*
the exchange of security certificates. This provided the traffic-flow
confidentiality that becomes desirable to protect privacy these days.
So, you got your fix with OSI NLSP or TLSP, you just have to overcome
the *power of the installed base*!
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
