Gabriel Belingueres wrote:
>
> Hi,
>
> Talking in the sci.crypt newsgroup, I did have an
> idea about how to do the Web more secure against traffic analysis. The
> idea come from a paper I been reading ("Analysis of the SSL 3.0
> protocol" by B. Schneier and D. Wagner). They describe how an attacker
> can guess the pages you have been accessed by looking the lengths of the
> SSL messages exchanged in the HTTPS's requests and replys.
> The idea I was thinking is to add a tiny protocol between HTTP and SSL,
> to break the 1-to-1 mapping between HTTP and SSL messages. The mapping
> now would be in a random way.
?? How?
> Could anybody give me your impressions about that idea?
> Should I continue further designing the protocol, or you think that
> nobody cares about web traffic analysis?
It is interesting, but I don't see how you propose to defeat it.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
