OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1995: Re: "Secure Socket Layer" protocol (NYT Article)

Re: "Secure Socket Layer" protocol (NYT Article)

Rens Troost (rensimsi.com)
Tue, 24 Jan 1995 11:34:40 -0500 

> Richard Sez:
> 
> There's a protocol being touted by Netcape Communications Corportation
> (formerly Mosaic Communications Corportation) which is supposedly strong
> enough to conduct commerce over.  It's description is in a document with
> all the RFC-bound trappings, located on http://www.mcom.com/someplace.

http://www.mcom.com/info/SSL.html


> I'm not a member of the Brainiac Protocol Busters Club, but the protocol
> looks pretty good to me.  In lieu of the IETF protocol, has anybody 
> spotted flaws in the SSL ?  It's up and working now, apparently. 

SSL is a perfectly fine session-level encryption protocol; It layers
conceptually on top of TCP and under (ftp, http, whatever) and
provides support for a number of different block and stream encryption
methods.

It does have a few problems:

	1> It's yet another standard to do this, and is only
	   implemented currently in netscape.

	2> The authentication and encryption are associated with
	   the session/connection, and not with the transported data.
           this makes it useless when a proxy is involved.

        3> It looks like S-HTTP is going to be the standard and not
           SSL. S-HTTP is also available now.

        4> The spec author (kippwarp.mcom.com) does not seem to have
           time to help others implement SSL, and there is no
           mailing list as yet.

But, on the other hand, it's a perfectly good design for doing what it
does, and it is deployed in the netscape and netsite software.

-Rens