On Tue, Feb 05, 2002 at 05:41:54AM -0800, Stanford wrote: > How secure is HTTPS?? The question being discussed is: > Should people's private information (medical, > prescription, banking, etc.) be sent over HTTPS or > should a VPN be involved with HTTPS? I always follow > the practice of better to have more than not enough. I > am currently using VPN with HTTPS. I know most, if not > all, banking is done over HTTPS, but what about > people's medical history and stuff like that? Is HTTPS > really secure enough?? > > Just thought I'd find out what the concensus is on > this matter!!
I think you are asking the wrong questions, or rather, based on what you are asking you may be neglecting the parts of a "secure" system that tend to break in practice. My first recommendation is to read _Security Engineering_ by Ross Anderson <www.cl.cam.ac.uk/~rja14/book.html>, I really, really wish more people read this book. Sample chapters are available online, but I urge everone building systems to order it now and read the sample chapters while you are waiting for it to be delivered. HTTPS is really HTTP over SSL/TLS. SSL v.3 and TLS are acceptable security protocols. Of course if the client-server pair negotiate ENULL (no encryption) then the data is sent in plaintext. Whether that is a risk depends on the sort of environment you are dealing with, it was not clear to me whether you wanted to use HTTPS/SSL as a network transport in your application software level, as a tunnel (e.g. stunnel), or if you were referring to web browser client software (e.g. MSIE, Netscape). A very good SSL/TLS toolkit is available from OpenSSL.org. HTTPS/SSL is not my preference for a VPN if you are dealing with a lot of data or complex authenication requirements, then solutions using IPSec and other "true" VPN solutions[1] might scale better. I suggest you read some google archives of comp.society.privacy and RISKS <http://catless.ncl.ac.uk/Risks> about common / stupid weaknesses in web based applications including banking and medical information. Poor user authenication "bootstraping" or deployment is a far greater risk in most real world deployments. I hope that answers your questions at least somewhat. -M Taylor 1] Why TCP Over TCP Is A Bad Idea (PPP over SSH) <http://sites.inka.de/sites/bigred/devel/tcp-tcp.html>
