[Ach] StartSSL for Business Sysadmins
Rainer Hoerbe
rainer at hoerbe.at
Wed Jan 15 17:15:58 CET 2014
Yes, SPDY's benefits are compelling, but endorsement of SPDY should be the concern of IETF. There are other considerations than encryption, e.g. if SPDY new slow-start algorithm maintains fairness with plain TCP/IP. Bettercrypto should not push for unapproved standards.
- Rainer
Am 15.01.2014 um 15:58 schrieb Philipp Gühring <pg at futureware.at>:
> Hi,
>
>
>> SSH can put up with click-thru syndrome because of its narrow domain.
>> It works, because the user is the sysadm or knows the sysadm, and can
>> ask when a click-thru is appropraite.
>>
>> SSL however cannot; it totally breaks the security model, and leaves
>> wide open to the anticipated threat model -- MITM, aka phishing.
>
> The problem we have here I think is HTTPS, not SSL.
>
> https:// expects a secure connection to an authenticated server.
> http:// does not expect any authentication from the server.
> So we could easily use SSL opportunistically with anon-dh for http://
>
> I guess that this might be what Google is (or could be) actually doing
> with their SPDY protocol.
> SPDY is used for http:// and https://, and every SPDY connection is
> encrypted with TLS. So it effectively places a TLS underneath normal http://.
> My guess is that they are using anon-dh for http:// and authenticated
> ciphersuites for https:// then, but I couldn't read that out of the
> documentation at the moment.
> If anyone wants to research that question and could let me know about it...
> http://en.wikipedia.org/wiki/SPDY
>
> If this is the case, then we should propose that that people should use
> SPDY, so that they get opportunistic encryption for http://
>
> Best regards,
> Philipp Gühring
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
More information about the Ach
mailing list