[1757] in WWW Security List Archive
Re: The Netscape security "key": misleading??
daemon@ATHENA.MIT.EDU (Jason Smith)
Fri Mar 29 18:30:26 1996
Date: Fri, 29 Mar 1996 14:47:54 +0000
From: Jason Smith <jason@mitre.org>
To: dymmd@source.asset.com
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
SSL allows for two way encryption (although you can do SSL with no encryption).
The client and the server can do a key exchange WITHOUT a browser certificate. The
browser can encrypt a master session key using the server's public key exchange
key. Clients and Servers use the master key to generate session keys, which are
used for two-way channel encryption.
Jason Smith
jason@mitre.org
-----------------------
David Robert Dymm wrote:
>
> When using Netscape to connect to a secure site, the "key" at the lower
> left of the Netscape display changes from broken to solid to indicate that
> you are connected to a site with a secure server that understand the SSL
> protocol. However I contend that this is misleading to users.
>
> My understanding is that the SSL protocol provides for the ability of the
> browser to encrypt information sent to the server using the server's public
> key. In that sense, the connection is secure. However the link from server
> to browser is still insecure. With the SSL protocol, there is no way to
> send encrypted information from server to browser. But even if this was
> part of the protocol, the server would have to use its private key to
> encrypt documents and since the server's "public key" is public by
> definition, then anyone snooping packets on the net could grap the document
> and decrypt it. But do all users understand this when they see the solid
> key indicating a secure connection? Might users not think that the
> connection is fully secure in both directions?
>
> Now if we use the S-HTTP protocol and if the browser has a certificate,
> then the server can use the browser's public key to encrypt information
> sent to the browser and only the browser can decrypt it. But this only
> works if the browser has a certificate - and probably very few people will
> bother to get a certificate.
>
> Comments anyone?
>
> David Dymm
> dymmd@source.asset.com
