RE: SSL Regulations and Laws

SSL is regarded by the general public as the end-all-be-all of webapp security and it is truly far from it. I am sure that we don't need a breakdown of what SSL does and how it does it, but we all need to remind ourselves that users see the little lock in the corner of their browser window and assume that the webapp that they are using is secure. We know that this is not right.

SSL will make it near impossible, or at least way to difficult and time consuming to decrypt traffic sent between client and webserver. So if someone is snooping my traffic as I am paying bills online at my banks website then they won't get my password. Am I the only one that realizes how trivial this threat is? It is far more reasonable to assume that the client would get hacked by a spyware virus or remote access trojan which has a much higher probable rate of finding a password and private info than spending time decrypting a ton of SSL encrypted packets?

I totally agree with Ingo, the security of the webapp itself is much more of a threat. Who cares what encryption I have between me and my bank if the bank's webapp is susceptible to SQL injection, XSS, or implements a flawed authentication scheme.

-----Original Message-----
From: Ingo Struck [mailto:ingo@ingostruck.de] Sent: Monday, July 21, 2003 12:52 PM
To: webappsec@securityfocus.com
Cc: Chackan Lai

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi...

> Of course, the other option is to have a java applet downloaded onto
However, this method has got two main drawbacks: - - virtually any "security-aware-user" will immediately disallow the execution
  of any applet / script code et al.
- - the remainder of the few who trust the server all the same will most often
  be cut off due to the incompatibilities linked to java awt/swing applet   stuff

Beyond those issues the risk of using not-well-secured applets (it's not an easy task to do that right - most of the tries I saw failed) heavily outweighs the "security boost" you gain from a 40 bit to 128 bit upgrade.

• From my point of view using script or any other executable code for web-based applications, especially for "security-aware" apps, is *NEVER* an option.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Kind regards

Ingo Struck

• --- ingo@ingostruck.de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/HERihQivkhmqPSQRAmvMAKCsmB4NDcor9WOI27LtibLWyInZNwCggjes T3a5TFDwI5LgTppzNfJkdnk=
=hnj+
-----END PGP SIGNATURE----- Received on Mon Jul 21 18:14:36 2003