Ian G wrote, On 2009-03-21 07:00: > After MITB surfaced (and scared the European bankers into action)
What is that? Man In The Bank? I suppose you meant MITM, but if not, please clarify. > people in finance circles started to realise that session authentication > was a mistake from the beginning I would say there is not consensus on that view, but maybe I don't hang out with enough European bankers. > (and that SSL was the vector for that mistake). I think that paradigm goes back much farther than SSL. Certainly SSL continues it. > TLS plays no part in that, or, you are right that the part it plays is > that of the culprit; distracting attention from the real security needs > by imposing its security model. Where does TLS impose on anyone? Who says "Use TLS and nothing else or you'll be sorry" ? TLS offers something that is much more secure than plain text. If some group wants something else, they're free to design and implement it. The problem has been that people who wanted a different model kept wishing SSL had the model they wanted, and hating SSL for not having the model they wanted, rather than inventing the thing they wanted. TLS does not hold them back, except perhaps psychologically. > Getting back to the "cheap" end of the market, right, some of us are > still trying to extract value by getting TLS to the always-on and > dual-authentication status. Only then can it deliver real value up to > the application, rather than open up weaknesses in other areas. For > this, client certs seem to be useful, because the code is already > written in the server side. And the bad ones remind us of that, every minute or two. :) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
