[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: insecure, convenient use of SSL

To: Jason Dusek <jason.dusek@gmail.com>
Subject: Re: insecure, convenient use of SSL
From: Michael StrÃder <michael@stroeder.com>
Date: Sat, 12 Apr 2008 14:51:11 +0200
Cc: openldap-software@openldap.org
In-reply-to: <42784f260804111355r7d37728et1af5caa8df24989c@mail.gmail.com>
References: <42784f260804071743v5fc1468aw5035467df632879d@mail.gmail.com> <42784f260804101642k756f7b3fw564af38b3339fe2@mail.gmail.com> <47FF2E5A.2040401@stroeder.com> <42784f260804111355r7d37728et1af5caa8df24989c@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080313 SeaMonkey/1.1.9

Jason Dusek wrote:

Michael StrÃder <michael@stroeder.com> wrote:
You shouldn't use SSL in such a insecure way.
I don't use SSL for anything but encryption.

There's no proper authorization without proper authentication. In the case of SSL/TLS the encryption layer can only be securly established if the client checks the server's identity by validating the server's cert and checking the server's name.

Secure server identity is handled by my DNS setup.

It is very unlikely that you can sufficiently protect DNS information unless you use signed DNS zones with DNSSEC also on the client side. Checking the server's fully-qualified domain-name against the CN or the subjectAltName of the server's certificate is a MUST.

Maybe you could elaborate on your particular needs.

Ciao, Michael.

References:
- insecure, convenient use of SSL
  - From: "Jason Dusek" <jason.dusek@gmail.com>
- Re: insecure, convenient use of SSL
  - From: Michael StrÃder <michael@stroeder.com>
- Re: insecure, convenient use of SSL
  - From: "Jason Dusek" <jason.dusek@gmail.com>

Prev by Date: Re: ppolicy
Next by Date: on Authentication in openldap
Index(es):
- Chronological
- Thread