[18305] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Sat Aug 27 09:45:59 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Dave Howe <DaveHowe@gmx.co.uk>
Cc: Email@metzdowd.com,
List@metzdowd.com:Cryptography <cryptography@metzdowd.com>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 26 Aug 2005 14:57:00 -0700
In-Reply-To: <430F8349.6010501@gmx.co.uk> (Dave Howe's message of "Fri, 26
Aug 2005 22:02:01 +0100")
Dave Howe <DaveHowe@gmx.co.uk> writes:
> Ian G wrote:
>> none of the above. Using SSL is the wrong tool
>> for the job.
> For the one task mentioned - transmitting the username/password pair
> to the server - TLS is completely appropriate. However, hash based
> verification would seem to be more secure, require no encryption
> overhead on the channel at all, and really connections and crypto
> should be primarily P2P (and not server relayed) anyhow.
Well, it's still attractive to have channel security in order to
prevent hijacking. (Insert usual material about channel bindings
here...)
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
