Vulnerability Development mailing list archives
RE: IDS and SSL
From: "Jason Lewis" <jlewis () packetnexus com>
Date: Sun, 24 Mar 2002 17:20:54 -0500
There is a trade off. You have to make that decision for yourself. The cost of putting certificates on all my webservers is high. The implementation, the design, the management, the processing power, etc....it all costs in the end. I have one device (There are actually more, but they load balance themselves) that holds the certificate and handle the encryption. I also have complete control of my datacenter. No one is plugging anything in without me knowing about it. While I guess it is POSSIBLE for someone to attack my alteon, it would be extremely difficult. Without going into detail, network equipment is only accessed via the console. The attack would have to be on the server itself. That would happen if I was running SSL on the box or on my dedicated hardware. I just moved the encryption part off the server and onto a device. Man in the Middle attacks aren't possible if you can't get in the middle. I wouldn't be surprised if a lot of major ecommerce sites did something similar. Encryption is expensive, in more ways than money. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. <snip> I think encryption chain should be from web server point to client point in this matter. I know you have other benefits like acceleration but I think you are loosing a bit on security here. </snip>
Current thread:
- Re: IDS and SSL Gabriel Lawrence (Mar 20)
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- Re: IDS and SSL pgiacomi (Mar 21)
- Re: IDS and SSL Thor (Mar 21)
- <Possible follow-ups>
- RE: IDS and SSL Oliver Petruzel (Mar 20)
- RE: IDS and SSL Jason Lewis (Mar 21)
- RE: IDS and SSL Dom De Vitto (Mar 22)
- Re: IDS and SSL Jon (Mar 23)
- RE: IDS and SSL Bojan Zdrnja (Mar 24)
- RE: IDS and SSL Dom De Vitto (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 24)
- RE: IDS and SSL Jason Lewis (Mar 21)
- Re: IDS and SSL Florian Weimer (Mar 25)