> -----Original Message-----
> From: Bernd Eckenfels [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 12 December 2000 2:00
> To: Pieter Grobler
> Cc: firewalls_list
> Subject: Re: Is there any Security risks in OPEN SSL source code
[...]
> Well, of course there is a security Risk in Any Software.
> Well, the private
> Key Storage is a weak point of all SSL Systems if you have to
> do automated
> access [...]
Yup.
> I am not aware of any known security probelms of Open SSL. Of
> course you
> have to make sure that you watch the usual SSL Probelms:
>
> - restrict the cipher suites to a list you feel safe with
> - be ware that ssl is only dealing with the transport of data, not the
> storage or authentication. for that you need a document based
> encrytpiob/signature like pgp or s/mime.
SSL/TLS offer authentication that is as strong as that in PGP or S/MIME.
Well - I guess it depends if you buy into the trusted third party vs web of
trust thing, but let's not quibble over terms. SSL with mutual certificate
authentication is "strong enough" for most general purpose applications,
IMO. I think that data storage is only not a good application for TLS
because the protocol has no well defined way to be used for data storage.
> Afaik the PNG is depending on the platform you deploy the System.
The keys are derived using random "stuff" from both the client _and_ server,
so in a way they're dependant on two PRNGs. That way it's much less clear
that a busted RNG can force a TLS session into using weak keys. May still be
possible, but you'd need to ask a real cryptographer.
>
> Greetings
> Bernd
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
