WebApp Sec mailing list archives
Re: Idea for making SSL more efficient
From: "Jason Coombs PivX Solutions" <jcoombs () PivX com>
Date: Fri, 16 Jul 2004 18:35:46 +0000 GMT
SSL is *supposed* to provide server and optional client authentication, but the reality is that relying on arbitrary certificate chains rooted by trust in a variety of third-party Certifying Authorities any of whom could issue an SSL certificate for any FQDN or a client certificate that the server may verify automatically (if it too allows open-ended third-party trust the way that Web clients generally do) with no way in many implementations to restrict to known-good public keys that we know to be associated with the server or client/user in question. I wrote an article that shows how to restrict SSL connections based on the server's public key, as any change in keys that is unexpected *must* be viewed as a potential security breach. See: http://www.windevnet.com/wdn/articles/2003/0309/ Sincerely, Jason Coombs Jcoombs () PivX com -----Original Message----- From: "Michael Howard" <mikehow () microsoft com> Date: Fri, 16 Jul 2004 09:56:01 To:"Paul Johnston" <paul () westpoint ltd uk>, <webappsec () securityfocus com> Subject: RE: Idea for making SSL more efficient SSL provides many security features, including authentication, integrity checking and confidentiality. This solution provides only an integrity check, and weak one at that - only a hash, not a MAC. So what threat(s) concern you? [Writing Secure Code 2nd Ed] http://www.microsoft.com/mspress/books/5957.asp [Protect Your PC] http://www.microsoft.com/protect [Blog] http://blogs.msdn.com/michael_howard -----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Thursday, July 15, 2004 2:12 AM To: webappsec () securityfocus com Subject: Idea for making SSL more efficient Hi, A disadvantage with SSL is that it places increased load on the server, in particular because client's ISP caches cannot be used. In most situations the images on an SSL site are not confidential. If they are included as HTTP links then the browser will display a "mixture of secure and insecure content" warning. That is sensible, because an attacker could potentially manipulate the images to deceive the user. My idea is to include a MD5 hash of the image in the img tag, so in an https page you could do <img src="http://x.y.z/a.png" md5="xyz789"/> to reference an HTTP image. Images protected by these integrity checks would then not cause a browser warning. I expect roll-out would not be easy, and also there may be concerns about infering what is on the SSL page from what images are requested (e.g. whether "overdrawn.png" gets requested). Anyone got thoughts on this? Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk Sent wirelessly via BlackBerry from T-Mobile.
Current thread:
- Idea for making SSL more efficient Paul Johnston (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- RE: Idea for making SSL more efficient V. Poddubnyy (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 17)
- <Possible follow-ups>
- RE: Idea for making SSL more efficient Scovetta, Michael V (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 16)
- Re: Idea for making SSL more efficient Jason Coombs PivX Solutions (Jul 16)
- RE: Idea for making SSL more efficient Michael Howard (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 16)
- Re: Idea for making SSL more efficient Kurt Seifried (Jul 18)
- Re: Idea for making SSL more efficient Frank O'Dwyer (Jul 18)