From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
To: Anonymous <lucifer@dhp.com>
Message Hash: 29c8860fb0356dfbacd00151549adda07bc8b63b887462e5a15b35d32d878672
Message ID: <9611290849.aa28944@gonzo.ben.algroup.co.uk>
Reply To: <199611290102.UAA13822@dhp.com>
UTC Datetime: 1996-11-29 09:52:55 UTC
Raw Date: Fri, 29 Nov 1996 01:52:55 -0800 (PST)
From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Date: Fri, 29 Nov 1996 01:52:55 -0800 (PST)
To: Anonymous <lucifer@dhp.com>
Subject: Re: SAFEPASSAGE BRINGS STRONG CRYPTO TO WEB BROWSERS WORLDWIDE
In-Reply-To: <199611290102.UAA13822@dhp.com>
Message-ID: <9611290849.aa28944@gonzo.ben.algroup.co.uk>
MIME-Version: 1.0
Content-Type: text/plain
Anonymous wrote:
>
> > From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
> >
> > I think I would discuss this with the author before going public, to give
> > him the usual opportunity to clean up before all hell breaks loose. However,
> > that is what I'd call "work" rather than "fun", so I'd want paying for it.
>
> Translation: You don't really know what you are talking about.
>
> > My impression is that Eric is more interested in speed and functionality than
> > strict security (and considering the incredible vulnerability that is more or
> > less inherent in an SSL implementation, I feel the same). I could be wrong, of
> > course.
>
> How is any security hole inherent in an SSL implementation? The
> protocol itself may not give you everything you need, but regardless
> of whether or not the protocol is useable for any given task (or any
> task at all), nothing precludes a secure implementation.
SSL requires the keying material to be available at all times. This is rather
different from many applications of cryptography, where one can keep keying
material safely locked away except when it is needed.
This is the inherent vulnerability.
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
Return to November 1996
Return to “lucifer@dhp.com (Anonymous)”