Ben Laurie wrote:
Ian G wrote:
...
http://wiki.cacert.org/wiki/VhostTaskForce
(The big problem of course is that you can use
one cert to describe many domains only if they
are the same administrative entity.)
If they share an IP address (which they must, otherwise there's no
problem),
Eric Rescorla wrote:
Ben Laurie [EMAIL PROTECTED] writes:
And we need SSL v2 to die so it doesn't interfere
with the above.
Actually, you just disable it in the server. I don't see why we need
anything more than that.
The problem is that the ServerHostName extension that signals
which
Ian G wrote:
Ben Laurie wrote:
Ian G wrote:
...
http://wiki.cacert.org/wiki/VhostTaskForce
(The big problem of course is that you can use
one cert to describe many domains only if they
are the same administrative entity.)
If they share an IP address (which they must, otherwise there's
Ben Laurie wrote:
Ian G wrote:
http://wiki.cacert.org/wiki/VhostTaskForce
(The big problem of course is that you can use
one cert to describe many domains only if they
are the same administrative entity.)
If they share an IP address (which they must, otherwise there's no
problem), then
Anne Lynn Wheeler wrote:
James A. Donald wrote:
However, the main point of attack is phishing, when an
outsider attempts to interpose himself, the man in the
middle, into an existing relationship between two people
that know and trust each other.
in the public key model ... whether it
Ben Laurie wrote:
Eh? It surely does stop MitM attacks - the problem is that there's
little value in doing so for various reasons, such as no strong binding
between domain name and owner, UI that doesn't make it clear which
domain you are going to, or homograph attacks.
it stops the MITM
On 12/26/05, Ben Laurie [EMAIL PROTECTED] wrote:
Surely if you do this, then there's a meet-in-the middle attack: for a
plaintext/ciphertext pair, P, C, I choose random keys to encrypt P and
decrypt C. If E_A(P)=D_B(C), then your key was A.B, which reduces the
strength of your cipher from 2^x
Jack Lloyd wrote:
On Fri, Dec 16, 2005 at 05:41:48PM +, Ben Laurie wrote:
No, OpenSSL is self-contained. There is, IIRC, an engine that uses GMP
if you want, but its entirely optional; OpenSSL has its own bignum
implementation that's just as good.
Last I checked, public key operations
Anne Lynn Wheeler wrote:
a more sensible human factors design ... is to remember whether a person
has checked out first time communication with a stranger ... the real
first time, have the person do something additional ... and from then on
remember that checking. in that respect ... creating
Ben Laurie wrote:
This is the SSH design for host keys, of course, and also the petnames
design for URLs. Unfortunately petnames don't solve the problem that it
is hard to check the URL even the first time.
the original SSL paradigm was predicated on end-to-end security that
the server the
On Tue, Dec 27, 2005 at 03:26:59AM -0600, Travis H. wrote:
On 12/26/05, Ben Laurie [EMAIL PROTECTED] wrote:
Surely if you do this, then there's a meet-in-the middle attack: for a
plaintext/ciphertext pair, P, C, I choose random keys to encrypt P and
decrypt C. If E_A(P)=D_B(C), then your
The latest round of SSL and X.509 certs in browsers are broken has
gone on too long. I kept hoping after weeks people might get bored,
but they haven't. I'm cutting it off for at least a little while.
I'll entertain new postings only if they propose actual solutions
rather than long
On Tue, Dec 27, 2005 at 02:28:07PM +, Ben Laurie wrote:
Apparently this rather depends on platform and compiler options. I am
reliably informed that GMP is not always faster.
For those that really care it'd be cool if someone did a careful
comparison. It would also be interesting to
13 matches
Mail list logo
