Hi,
Talking in the sci.crypt newsgroup, I did have an
idea about how to do the Web more secure against traffic analysis. The
idea come from a paper I been reading ("Analysis of the SSL 3.0
protocol" by B. Schneier and D. Wagner). They describe how an attacker
can guess the pages you have been accessed by looking the lengths of the
SSL messages exchanged in the HTTPS's requests and replys.
The idea I was thinking is to add a tiny protocol between HTTP and SSL,
to break the 1-to-1 mapping between HTTP and SSL messages. The mapping
now would be in a random way.
Could anybody give me your impressions about that idea?
Should I continue further designing the protocol, or you think that
nobody cares about web traffic analysis?
--
Regards,
Gabriel Belingueres
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
