On 8/3/22 1:46 PM, Jarland Donnell via mailop wrote:
This leans on faulty logic. If the browser is on the screen of a laptop plugged directly into the server, sitting in the middle of that place that sounds suspiciously like an airport, then this would be true. But then, if you trust the website and there is no one in between, what exactly is the point of SSL at all? Is it merely cosmetic in nature? Why do we have secure connections to anything if an old-school trust model is sufficient?
TEMPEST? }:-)Making sure that someone else can't snoop the traffic between the two adjacent systems.
You have SSL because you want to not only know that the server you are connecting to is who they say they are, but also to secure the packets as they transmit to your ISP, to their upstream, to the next upstream, etc. If you are using an insecure SSL protocol/cipher, the transactions cannot be called secure. Period.
Aside: What is "secure"? -- IMHO "secure" is an ambiguous intersection between privacy and / or authenticity.
I can be sure that data is authentic, as in unmodified, by using a null cipher and / or IPsec AH. I can ensure that data is private using any sufficiently strong cipher and / or IPsec ESP. Even clear text HTTP over a VPN is private.
As Brandon said, "Everything in security depends on your threat model.".If I'm concerned about a toddler learning a passcode to the iPad, I'll walk to the corner and cup my hand over my mouth as I share it. If I need to protect the intellectual property of my employer, I'm going to do a LOT more.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
