João wrote: > Hi > > I'm glad for your negative answer and that's also what I suspect :-) > > ... but I didn't really understand why. > > Maybe I didn't really fully explain myself, the problem is not really > ensuring secrecy and integrity, it's ensuring delivery.
No protocol can ensure the other side got the data. The network can always fail. > As I understand it this is normally done with TCP ACK segments: in a > normal (non-SSL) TCP application, the receiver B sends back a TCP > segment containing the sequence number of any messages received so > far, and piggybacks any reply to it. The receipt of a TCP ACK segment does not prove that the other application received the data. No application action is needed for TCP ACKs to be generated. > If no reply is needed the payload of this ACK is empty I suppose. > > If this is the case with SSL/TCP as well, then I suppose an attacker > could fake the ACK, because he wouldn't have to place any encrypted > data on it, just tweak the sequence number fields. Thus he could block > the original message and send this fake reply back to A. > > In this case A doesn't expect anything else, it wouldn't know that B > didn't actually receive the message! Also B would be unaware that A > has actually sent a message! The exact same thing would happen if the network link were broken. SSL does not place any weight on TCP acknowledgements. Forging the TCP acknowledgements would gain the attacker nothing. > In this case the attacker would have tampered with the delivery > assurance of TCP but none of the sides would be aware of that. TCP does not provide "delivery assurance". If the application needs to know the data got through, it must use application-level ackwowledgements. SSL does not change this and provides the same set of guarantees and assurances TCP does. When you send a message over TCP, you never get any guarantee the message was received on the other side unless you code your own application-level acknowledgement. Neither TCP nor SSL provide some "the other side got the data" indicator. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
