hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Johnson" <e...@tibco.com>
Subject Re: ssl question
Date Tue, 29 Jul 2003 12:55:14 GMT
Quent,

You might also read Bruce Schneier's book called "Applied Cryptography", 
(and his other books, too).  Every security system has its inescapable 
flaws.  HTTPS/SSL/TLS, for example, depends on the certificates not 
being compromised while they're still valid, and on the computational 
complexity involved in deciphering for the chosen symmetric key 
encryption algorithm.  I think the default with JSSE is to use DESede 
for the symmetric encryption, which security researchers have "cracked" 
for an individual message in under 48hrs with highly distributed 
processing (tens of thousands of computers cooperating).  In other 
words, HTTPS is good for keeping messages from criminals (they have 
better and easier ways to get your credit card numbers!), but capable 
governments can decode the messages.

Of course, this is off-topic, so you should look for more information 
elsewhere as Odi suggested.

-Eric.

Querent wrote:

>Dear Odi,
> 
>I am using jsse for the ssl implementation.
>I still want to use HttpClient in my program.
>If I am assuming that the server and client certificate both valid and they're communicating
to each other. Are they communicating in a secure line? (ie: no one can get or decrypt the
data ?)
> 
>Do you have any reference or links to read to strengthen the communication between client
and server?
> 
>Thanks in advance
> 
>Quent
>
>
>Ortwin_Gl├╝ck <ortwin.glueck@nose.ch> wrote:
>Dear Querent,
>
>SSL is not implemented by HttpClient but is provided by an external 
>company such as Sun. HttpClient uses the SSL implementation that you 
>chose. How secure the SSL connections are is dependent on the algorithm 
>used. To be sure you should disable known weak algorithms in your SSL 
>implementation. Furthermore you can check the server certificate and 
>supply a client certificate. For a ultra-sensitive data (like banking 
>applications) it is certainly not sufficient to have just the code you 
>posted.
>
>HTH
>
>Odi
>
>Querent wrote:
>
>  
>
>>Dear all,
>>
>>I'd like to know how secure it is ssl in HttpClient. I set up the
>>host configuration using
>>
>>HttpClient client = new HttpClient(); client.setStrictMode(true); 
>>client.getHostConfiguration().setHost(LOGON_SITE, LOGON_PORT,
>>"https");
>>
>>while LOGON_SITE and LOGON_PORT is the address of https site. I am
>>able to do either GetMethod or PostMethod.
>>
>>Is my set up enough for HttpClient such that my program communicate
>>using secure connection ? Does HttpClient reliable on ssl ?
>>
>>Thank a lot.
>>
>>quent
>>
>>
>>
>>--------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now
>>only $29.95 per month!
>>    
>>
>
>  
>



Mime
View raw message