httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] explicitly including other ciphers for use with https
Date Tue, 08 Dec 2015 05:35:44 GMT
> Everything *after* that handshake, in cleartext, is open for 
> inspection or for manipulation
Are you sure about the manipulation part? Why do you think encryption 
helps here then?

--

With Best Regards,
Marat Khalili


On 08/12/15 05:30, William A Rowe Jr wrote:
> On Mon, Dec 7, 2015 at 7:40 PM, Jacob Champion <champion.p@gmail.com 
> <mailto:champion.p@gmail.com>> wrote:
>
>     On 12/07/2015 05:06 PM, William A Rowe Jr wrote:
>
>         On Mon, Dec 7, 2015 at 2:39 PM, Ron Croonenberg <ronc@lanl.gov
>         <mailto:ronc@lanl.gov>
>         <mailto:ronc@lanl.gov <mailto:ronc@lanl.gov>>> wrote:
>
>             Hello,
>
>             I a building a storage system, using HTTP/HTTPS for
>         ingesting data.
>
>             I would like to use the authentication over HTTPS, while
>         after that
>             I want no encryption on the data because of peformance.
>
>
>         Then you probably don't understand the performance impact of TLS.
>
>
>     To help Ron out a little... he's coming from this conversation [1]
>     on the openssl-users mailing list, where he's described his rather
>     unusual network topology already.
>
>     I'm still unsure as to whether or not his proposed solution is
>     secure... but I am convinced that his use case is atypical.
>
>
> It should be straightforward to patch mod_ssl to accept null ciphers, 
> for such an unusual use case, but it isn't something we would likely 
> accept in the ASF distribution for the reasons I outlined.
>
>         Otherwise,
>         any man-in-the-middle can observe the data in transit and alter
>         the data passed between your client and backend storage server
>
>
>     Wait, why does the use of NULL encryption have any effect on the
>     authenticity/integrity characteristics of the cipher? I asserted
>     otherwise on openssl-users and was not corrected...
>
>
> I didn't suggest it that it would.  Everything *after* that handshake, 
> in cleartext, is open for inspection or for manipulation by every link 
> in between the user agent and server.
>
>     --Jacob
>
>     [1] https://marc.info/?t=144900982700003&r=1&w=2
>


Mime
View raw message