Re: Security of HTTPS

[Frank Knobbe <frank () knobbe us>]

On Sun, 2004-11-28 at 11:06, Ng Pheng Siong wrote:
> Is the Michael Warfields discussion entitled "SSL and IPS" and dated about
> 24 Jun 2004? I just skimmed that one very quickly: it seemed to be talking
> about an IDS watching traffic over the wire, not a proxy doing MITM
> actively and generating "pretend" certs on the fly.

That's the one. And it came to mind when Erik said "I wouldn't
necessarily call it a MITM attack, but there are some products
out there that intentionally decrypt an SSL connection.", but then went
on to describe a MITM attack. My comment was that there are products
that don't present their own certificate (as in MITM), but instead
decrypt the SSL session on the fly (which of course requires the keys of
the server). The clients keys don't matter as the public key is
exchanged and the private key is not required.

> > I still think people put too much stock in SSL VPNs.
> SSL VPNs give you security without compromising convenience! Woo-hoo!

Heh... SSH VPNs give you convenience without compromising security!  ;)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part