SSL is only safe if the initial handshake is missed by the sniffer. A tool
came out last year called SpyNet/PeepNet (I believe eEye purchased the
rights) that not only acted as a software sniffer for your Windows machine,
but it also, with the click of a button, would allow you to recreate
sessions (web, telnet, ftp, etc.), including SSL encrypted connections. We
in fact used this tool to bust a guy surfing "questionable content" at
Yahoo! Clubs for one of my clients. Just remember: why break the algorithm
when you can simply compromise the keys?
cheers,
-ben
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael T. Babcock
Sent: Saturday, February 03, 2001 10:06 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; 'John
Steniger'
Subject: Re: Configuration Arguments... In House...
[EMAIL PROTECTED] wrote:
> Being a little picky here - but SSL does not prevent sniffing. The
> encrypted data that can
> be sniffed has to be decrypted to be of any use. Provided you have a
> "strong" algorithm
> and a sufficient encryption level to make a brute-force attack futile (40
> or 56 bit would not
> be sufficient), the data should not be able to be decrypted. Just my two
> cents.
Side note (adding to what you said):
SSL traffic can be sniffed. The sniffer just gets encrypted traffic. The
sniffer can then decide to cryptanalyse or brute-force
the packets (cryptanalysis better because of known/guessable header contents
in starting packets) at their leisure. If your data
is sensitive enough (SSN's should come to mind), the amount of time to
brute-force a standard SSL connection (even a "high"
security one) shouldn't be considered good enough. If your attacker cares
to and captures all of your users' traffic for two
years and spends 10 years in the background cracking it all, they may have
information that was worth the wait (especially if
they're selling identity changes, etc.).
SSL's encryption strength needs to be severely re-thought in light of
current uses and future uses of encrypted web traffic.
--
Michael T. Babcock (PGP: 0xBE6C1895)
http://www.fibrespeed.net/~mbabcock/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
