Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4B15F1810B for ; Tue, 8 Dec 2015 19:56:51 +0000 (UTC) Received: (qmail 92860 invoked by uid 500); 8 Dec 2015 19:56:48 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 92818 invoked by uid 500); 8 Dec 2015 19:56:48 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 92807 invoked by uid 99); 8 Dec 2015 19:56:48 -0000 Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Dec 2015 19:56:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id D0B98180999 for ; Tue, 8 Dec 2015 19:56:47 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.554 X-Spam-Level: X-Spam-Status: No, score=-0.554 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.554, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 0LXIITcvRstE for ; Tue, 8 Dec 2015 19:56:36 +0000 (UTC) Received: from proofpoint5.lanl.gov (proofpoint5.lanl.gov [204.121.3.53]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 7E51920DB9 for ; Tue, 8 Dec 2015 19:56:35 +0000 (UTC) Received: from mailrelay2.lanl.gov (mailrelay2.lanl.gov [128.165.4.103]) by mailgate5.lanl.gov (8.15.0.59/8.15.0.59) with ESMTP id tB8JpWPH031356 for ; Tue, 8 Dec 2015 12:51:32 -0700 Received: from localhost (localhost.localdomain [127.0.0.1]) by mailrelay2.lanl.gov (Postfix) with ESMTP id 8E4CBED67B9 for ; Tue, 8 Dec 2015 12:51:32 -0700 (MST) X-NIE-2-Virus-Scanner: amavisd-new at mailrelay2.lanl.gov Received: from tykhe.lanl.gov (tykhe.lanl.gov [128.165.248.149]) by mailrelay2.lanl.gov (Postfix) with ESMTP id 6834FED67B8 for ; Tue, 8 Dec 2015 12:51:32 -0700 (MST) To: users@httpd.apache.org References: <5665EE82.1040501@lanl.gov> <56663506.3020302@gmail.com> <56666C30.8060501@rqc.ru> <56672C62.4040200@gmail.com> From: Ron Croonenberg Message-ID: <566734C4.7010702@lanl.gov> Date: Tue, 8 Dec 2015 12:51:32 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <56672C62.4040200@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21,1.0.33,0.0.0000 definitions=2015-12-08_12:2015-12-08,2015-12-08,1970-01-01 signatures=0 Subject: Re: [users@httpd] explicitly including other ciphers for use with https what if one simply doesn't care if the data is encrypted during transmission?. The data I move to an object store, basically files, could already be stored encrypted. Also, hardware encrypters don't have a need for encrypting data again. Encrypting it again is just a waste of A LOT of bandwith. However the passwords still need to be encrypted and encrypting TBs of data because I need an 8-16 token password encrypted is just a little silly I think a lot of people here are confusing 'network with "world wide web' and therefore NULL ciphers are unsafe This is just a bunch of hardware, with connections between it's nodes. The whole thing/cluster is not connected to anything 'internet', not even LAN. I worry about those connections being secure as much as I worry about security between a disk-controller and a hard drive. On 12/08/2015 12:15 PM, Jacob Champion wrote: > On 12/07/2015 09:54 PM, William A Rowe Jr wrote: >> On Dec 7, 2015 11:36 PM, "Marat Khalili" > > wrote: >> >> >> >> Everything *after* that handshake, in cleartext, is open for >> inspection or for manipulation >> > >> > Are you sure about the manipulation part? Why do you think encryption >> helps here then? >> >> To turn the question around, what gives you the suggestion that the user >> agent or the httpd server would notice any modification of plaintext >> bytes in transit through a router or other network intermediate? > > I would _expect_ that clients using an eNULL ciphersuite would check the > MAC that is transferred as part of the TLS record. I would further > expect the MAC to have been computed using a secret that was set up > during the initial handshake, so that it cannot be faked by an > intermediary who has been watching the stream. That's what I meant when > I said that NULL encryption should have (AFAIK) no effect on the authn > and integrity characteristics of the ciphersuites. It should only affect > the confidentiality. > > But I'm not an expert in TLS -- do you know of a reason that eNULL > ciphersuites have weaker guarantees on their integrity checks? If so, > I'd really like to know... This is the second time in a week that > someone has told me that eNULL ciphers provide effectively no security, > and up to this point I have believed otherwise. > > (As an experiment, I compiled httpd to allow eNULL ciphersuites and > captured an s_client conversation with dumpcap. Wireshark immediately > "decrypted" the plaintext data but showed that there was still a MAC > appended to each record. Modifying a single byte of that data caused > Wireshark to fail its "decryption" of that record.) > > --Jacob > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org