TCP does not provide "delivery assurance". If the application needs
to know
the data got through, it must use application-level
ackwowledgements. SSL
does not change this and provides the same set of guarantees and
assurances
TCP does.
I'm sorry to disagree but TCP, unlike UDP, does provide "reliable data
transfer". It does allow hijacking. I'll take from wikipedia to try to
explain better
http://en.wikipedia.org/wiki/Transmission_Control_Protocol
"TCP is a reliable stream delivery service that guarantees delivery of
a data stream sent from one host to another without duplication or
losing data. Since packet transfer is not reliable, a technique known
as positive acknowledgment with retransmission is used to guarantee
reliability of packet transfers. This fundamental technique requires
the receiver to respond with an acknowledgment message as it receives
the data. The sender keeps a record of each packet it sends, and waits
for acknowledgment before sending the next packet. The sender also
keeps a timer from when the packet was sent, and retransmits a packet
if the timer expires. The timer is needed in case a packet gets lost
or corrupted.
[...]
An attacker who is able to eavesdrop a TCP session and redirect
packets can hijack a TCP connection. To do so, the attacker learns the
sequence number from the ongoing communication and forges a false
packet that looks like the next packet in the stream. Such a simple
hijack can result in one packet being erroneously accepted at one end."
I guess this can be done with ACKs as well. I'm almost absolutely sure
SSL can detect these hijacks and signal an alert, but I wanted to be
sure.
Maybe I'll try some ASCII-art tomorrow or get an experimental answer
by capturing an SSL session and seeing exactly what goes to and from.
I suspect the "sequence number" field of SSL record segments mentioned
in the RFC might be what I'm looking for...
Thanks anyway!
João
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
