[731] in bugtraq
Re: "Secure Socket Layer" protocol (NYT Article)
daemon@ATHENA.MIT.EDU (Rens Troost)
Tue Jan 24 14:40:36 1995
To: Richard Huddleston <reh@wam.umd.edu>
Cc: perry@imsi.com, bugtraq@fc.net
In-Reply-To: Your message of "Mon, 23 Jan 1995 21:46:01 EST."
<199501240246.VAA14885@rac9.wam.umd.edu>
Reply-To: rens@imsi.com
Date: Tue, 24 Jan 1995 11:34:40 -0500
From: Rens Troost <rens@imsi.com>
> Richard Sez:
>
> There's a protocol being touted by Netcape Communications Corportation
> (formerly Mosaic Communications Corportation) which is supposedly strong
> enough to conduct commerce over. It's description is in a document with
> all the RFC-bound trappings, located on http://www.mcom.com/someplace.
http://www.mcom.com/info/SSL.html
> I'm not a member of the Brainiac Protocol Busters Club, but the protocol
> looks pretty good to me. In lieu of the IETF protocol, has anybody
> spotted flaws in the SSL ? It's up and working now, apparently.
SSL is a perfectly fine session-level encryption protocol; It layers
conceptually on top of TCP and under (ftp, http, whatever) and
provides support for a number of different block and stream encryption
methods.
It does have a few problems:
1> It's yet another standard to do this, and is only
implemented currently in netscape.
2> The authentication and encryption are associated with
the session/connection, and not with the transported data.
this makes it useless when a proxy is involved.
3> It looks like S-HTTP is going to be the standard and not
SSL. S-HTTP is also available now.
4> The spec author (kipp@warp.mcom.com) does not seem to have
time to help others implement SSL, and there is no
mailing list as yet.
But, on the other hand, it's a perfectly good design for doing what it
does, and it is deployed in the netscape and netsite software.
-Rens
