[118780] in Cypherpunks
Re: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)
daemon@ATHENA.MIT.EDU (Ed Gerck)
Thu Oct 7 21:40:39 1999
Message-ID: <37FD4232.4E1E460D@nma.com>
Date: Thu, 07 Oct 1999 18:00:34 -0700
From: Ed Gerck <egerck@nma.com>
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@ai.mit.edu>
CC: Robert Hettinga <rah@shipwright.com>, dcsb@ai.mit.edu,
cypherpunks@cyberpass.net, cryptography@c2.net
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Reply-To: Ed Gerck <egerck@nma.com>
This is a copy of my comments sent to the author
of "SSL is dead?" at securityportal:
---------------------------------------------------------
Kurt's report "Is SSL dead?" at
http://securityportal.com/closet/closet19990930.html
is old news and has a mistake.
The old news can be seen from my own Overview of Certification Systems
published in 1987, which has been downloaded more than 80,000 times, in
the short (and, newer) version at http://www.mcg.org.br/certover.pdf as well
as the longer version at http://www.mcg.org.br/cert.htm -- look for the Ed
Felten's reference and topic discussion as well as the other problems in SSL
and certification (including the client-server asymmetry for requesting
certificates).
The mistake though is to forget that SSL is a tool to security -- not
security-in-a-box. SSL and digital certificates are not self secure but they
can be useful building blocks in a secure system.
Cheers,
Ed Gerck
Phillip Hallam-Baker wrote:
> This is a problem with SSL 2.0 first discovered by Simon Spero then at
> EIT.
>
> It was fixed in SSL 3.0, that must be almost three years ago.
>
> The server certificate now binds the public key to a specific Web server
> address.
>
> Phill
>
> -----Original Message-----
> From: bounce-dcsb@ai.mit.edu [mailto:bounce-dcsb@ai.mit.edu]On Behalf Of
> Robert Hettinga
> Sent: Wednesday, October 06, 1999 4:22 PM
> To: dcsb@ai.mit.edu; cypherpunks@cyberpass.net; cryptography@c2.net
> Subject: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second
> Ed.)
>
> At 2:00 PM -0400 on 10/6/99, ecarm-news@ecarm.org wrote:
>
> > Title: Special Kurt's Closet: Is SSL dead?
> > Resource Type: News letter
> > Date: Semptember 30, 1999
> > Source: Security Portal
> > Author: Kurt Seifried
> > Keywords: INTERNET/WWW ,SECURITY ISSUES ,ONLINE SHOPPING ,SSL
> >
> > Abstract/Summary:
> > The title is a bit scary, but I wanted to get your attention
> >(worked, didn't it?). Most
> > security experts have been aware of problems with SSL, but
> >generally speaking we
> > haven't said much because there wasn't much of a replacement
> >available for it,
> > and it hasn't been exploited extensively (chances are it will be,
> >though). I'll start
> > with an explanation of the basic attack, followed by some methods
> >to protect yourself,
> > and finish with an interview with Dale Peterson of DigitalBond and
> >the summary.
> >
> > How to do it
> >
> > Let's say I want to scam people's credit card numbers, and don't
> >want to break into
> > a server. What if I could get people to come to me, and voluntarily
> >give me their
> > credit card numbers? Well, this is entirely too easy.
> >
> > I would start by setting up a web server, and copying a popular
> >site to it, say
> > www.some-online-store.com, time required to do this with a tool
> >such as wget is
> > around 20-30 minutes. I would then modify the forms used to submit
> >information
> > and make sure they pointed to my server, so I now have a copy of
> > www.some-online-store.com that looks and feels like the "real"
> >thing. Now, how do
> > I get people to come to it? Well I simply poison their DNS caches
> >with my information,
> > so instead of www.some-online-store.com pointing to 1.2.3.4, I
> >would point it to
> > my server at 5.6.7.8. Now when people go to
> >www.some-online-store.com they end
> > up at my site, which looks just like the real one.
> >
> > Original URL: http://securityportal.com/closet/closet19990930.html
> >
> > Added: Wed Oct 6 12:41:14 -040 1999
> > Contributed by: Keeffee
>
> -----------------
> Robert A. Hettinga <mailto: rah@ibuc.com>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
>
> For help on using this list (especially unsubscribing), send a message to
> "dcsb-request@ai.mit.edu" with one line of text: "help".
--
Cheers,
Ed Gerck
______________________________________________________________________
http://www.mcg.org.br/authors/eg.htm egerck@nma.com
