Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)

At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote: > Title: Special Kurt's Closet: Is SSL dead? > Resource Type: News letter > Date: Semptember 30, 1999 > Source: Security Portal > Author: Kurt Seifried > Keywords: INTERNET/WWW,SECURITY ISSUES ,ONLINE SHOPPING ,SSL > > Abstract/Summary: >

RE: Is SSL dead?

This deserves further explanation. In order to begin an SSL session, the server must present its public key and its site certificate to the client. If the certificate has been signed by a trusted key (popular browsers ship with many keys, held by CA's, pre-marked as trusted in the local key da

RE: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)

This is a problem with SSL 2.0 first discovered by Simon Spero then at EIT. It was fixed in SSL 3.0, that must be almost three years ago. The server certificate now binds the public key to a specific Web server address. Phill -Original Message- From: [EMAIL PROTECTED] [

Re: Internal vs external threats, any references?

Rick said, > One has to be careful with one's universal quantifiers. > > "There's no attack you can defend against." - false > "There are defenses against some attacks." - true > "There are defenses against all attacks." - false > > My own experience makes me skeptical to the point of increduli

RE: Is SSL dead?

> Whether or not the hijacker can succeed in tricking a CA into issuing a > cert wrongfully is a complicated question - it's probably (hopefully?) hard > to reach that goal if the domain name requested is a well-known one. It'd be pretty hard. When I got a certficate from Thawte for a domain o

Re: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)

"Phillip Hallam-Baker" <[EMAIL PROTECTED]> writes: > This is a problem with SSL 2.0 first discovered by Simon Spero then at > EIT. Although Simon Spero did the first implementation of this attack, the first writeup of it I ever saw was by Allan M. Schiffman (also at EIT) about three months earlier

RE: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)

At 07:35 PM 10/6/99 -0400, Phillip Hallam-Baker wrote: >This is a problem with SSL 2.0 first discovered by Simon Spero then at >EIT. >It was fixed in SSL 3.0, that must be almost three years ago. That's not the big issue here. Server-spoofing is not fully prevented by any version of SSL. The pr

mentor needed

Reply to this person directly, please... Cheers, RAH --- begin forwarded text Date: Thu, 7 Oct 1999 01:20:46 -0400 (EDT) From: "Nina H. Fefferman" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: mentor needed Sender: [EMAIL PROTECTED] Reply-To: "Nina H. Fefferman" <[EMAIL PROTECTED]>