Everything *after* that handshake, in cleartext, is open for
inspection or for manipulation
Are you sure about the manipulation part? Why do you think encryption
helps here then?
--
With Best Regards,
Marat Khalili
On 08/12/15 05:30, William A Rowe Jr wrote:
On Mon, Dec 7, 2015 at 7:40 PM, Jacob Champion <champio...@gmail.com
<mailto:champio...@gmail.com>> wrote:
On 12/07/2015 05:06 PM, William A Rowe Jr wrote:
On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg <r...@lanl.gov
<mailto:r...@lanl.gov>
<mailto:r...@lanl.gov <mailto:r...@lanl.gov>>> wrote:
Hello,
I a building a storage system, using HTTP/HTTPS for
ingesting data.
I would like to use the authentication over HTTPS, while
after that
I want no encryption on the data because of peformance.
Then you probably don't understand the performance impact of TLS.
To help Ron out a little... he's coming from this conversation [1]
on the openssl-users mailing list, where he's described his rather
unusual network topology already.
I'm still unsure as to whether or not his proposed solution is
secure... but I am convinced that his use case is atypical.
It should be straightforward to patch mod_ssl to accept null ciphers,
for such an unusual use case, but it isn't something we would likely
accept in the ASF distribution for the reasons I outlined.
Otherwise,
any man-in-the-middle can observe the data in transit and alter
the data passed between your client and backend storage server
Wait, why does the use of NULL encryption have any effect on the
authenticity/integrity characteristics of the cipher? I asserted
otherwise on openssl-users and was not corrected...
I didn't suggest it that it would. Everything *after* that handshake,
in cleartext, is open for inspection or for manipulation by every link
in between the user agent and server.
--Jacob
[1] https://marc.info/?t=144900982700003&r=1&w=2
