[4854] in WWW Security List Archive
Re: Netscape-Enterprise/2.01 https SLOOOOWW
daemon@ATHENA.MIT.EDU (Vinnie Vedi Dolavimus)
Wed Mar 19 22:58:23 1997
Date: Wed, 19 Mar 1997 20:33:59 -0500 (EST)
From: Vinnie Vedi Dolavimus <sfuze@escape.com>
To: Adam Shostack <adam@homeport.org>
cc: "Brian W. Spolarich" <briansp@ans.net>, fischer@ucet.ufl.edu,
WWW-SECURITY@ns2.rutgers.edu
In-Reply-To: <199703181237.HAA00345@homeport.org>
Errors-To: owner-www-security@ns2.rutgers.edu
While I certainly agree with what you're saying, Adam, I do want to point
out that the amount of fraud taking place on the net is actually LESS
than that which is taken place on a regular credit card. Think this way
-- how many times do people simply hand over a credit card to a waiter, a
store, over the phone (which is supremely insecure -- especially if you
consider how many transactions take place over cell and cordless
nowadays), etc. -- and compare it to how easily one of them can copy it
down vs. how easily someone on the net can. Simply put, it's alot more
likely someone will copy your cc# at a restaurant than they will sniff
your network.
That said, SSL technology *is* getting more and more advanced, and with
one-time password implementation becoming more common (I know you have an
interest in SecurID) among financial institutions, along with SSL and the
increasingly common idea of a VPN (and stuff like SmartGate), more and
more vendors are cooperating -- cooperation can only improve things and
more things at a faster pace -- look at organized crime for an example of
that :)
--Millie.
On Tue, 18 Mar 1997, Adam Shostack wrote:
> Is it off topic? Isn't wwws an IETF wg on the subject?
> Shouldn't we be concerned about the fact that there is no high
> performance security mechanism for the web in any event?
>
> A lot of banks are using SSL right now. Banks tend to have
> long term relationships with their customers, and could probably do
> a more occaisonal key exchange than is done in SSL, and use some form
> of challenge/response system for day to day transactions.
>
> I know of at least one large bank in Boston that is planning
> to roll out V-One's SmartGate software with Navigator because it does
> exactly this.
>
> Adam
>
>
> Brian W. Spolarich wrote:
> |
> | Randy, I'd call Netscape tech support or post to secnews:netscape.server
> | if you believe you're having problems. The SSL handshake does degrade
> | server performance significantly. I believe I saw something to the effect
> | that you get about 1/10th the performance with SSL connections.
> |
> | This posting is rather off-topic for www-security.
> |
> | -brian
> |
> | On Sun, 16 Mar 1997, Randy Fischer wrote:
> |
> | | I've just started working with a Netscape-Enterprise/2.01
> | | server and am finding I get very poor performance
> | | when running securely against the https port compared
> | | to the http port -- on the order of 3-5 times as long
> | | to serve up a page. This seems way too slow, I must
> | | have misconfigured something. Has anyone else seen
> | | this problem? I'm trying to find the bottleneck.
> | | What are your experiences with performance tuning?
> | |
> | | Randy Fischer
> | |
> |
> | --
> | Brian W. Spolarich - ANS Systems Development - briansp@ans.net - 313-677-7311
> | "More matter, with less art." - Hamlet, II, ii
> |
>
>
> --
> "Well, that depends. Do you mind the end of civilization as we know
> it?"
>
>
>
>
>
