[Ach] StartSSL for Business Sysadmins

Rainer Hoerbe rainer at hoerbe.at
Wed Jan 15 17:15:58 CET 2014

Yes, SPDY's benefits are compelling, but endorsement of SPDY should be the concern of IETF. There are other considerations than encryption, e.g. if SPDY new slow-start algorithm maintains fairness with plain TCP/IP. Bettercrypto should not push for unapproved standards.

- Rainer

Am 15.01.2014 um 15:58 schrieb Philipp Gühring <pg at futureware.at>:

> Hi,
>> SSH can put up with click-thru syndrome because of its narrow domain.
>> It works, because the user is the sysadm or knows the sysadm, and can
>> ask when a click-thru is appropraite.
>> SSL however cannot;  it totally breaks the security model, and leaves
>> wide open to the anticipated threat model -- MITM, aka phishing.
> The problem we have here I think is HTTPS, not SSL.
> https:// expects a secure connection to an authenticated server.
> http:// does not expect any authentication from the server.
> So we could easily use SSL opportunistically with anon-dh for http://
> I guess that this might be what Google is (or could be) actually doing
> with their SPDY protocol.
> SPDY is used for http:// and https://, and every SPDY connection is
> encrypted with TLS. So it effectively places a TLS underneath normal http://.
> My guess is that they are using anon-dh for http:// and authenticated
> ciphersuites for https:// then, but I couldn't read that out of the
> documentation at the moment.
> If anyone wants to research that question and could let me know about it...
> http://en.wikipedia.org/wiki/SPDY
> If this is the case, then we should propose that that people should use
> SPDY, so that they get opportunistic encryption for http://
> Best regards,
> Philipp Gühring
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

More information about the Ach mailing list