[DGD]DGD network io, SSL encryption and unix sockets
Felix A. Croes
felix at dworkin.nl
Mon Feb 7 00:15:44 CET 2000
Brett McCormick <brett at mail.flyingcroc.net> wrote:
> On Sunday, 6 February 2000, at 13:49:35, Felix A. Croes wrote:
>
> > In spite of my claim not to know the Right Way, some comments:
> >
> > I would suggest adding a kernel function to turn an existing connection
> > into an encrypted connection, rather than a secure connection on a
> > different port.
>
> This is problematic.. Unless there is some "magic string" sent to the
> client or server to initiate the handshake, which doesn't exactly turn
> me on.
Not a "magic string", but a negotiation. "Shall we make this connection
secure?" "Yes, let's."
Doing this with a kfun would allow turning encryption on or off for an
existing connection.
> > SSL is not very secure anymore. If you want to base your implementation
> > on an existing standard, I suggest starting with the SSH protocol.
>
> SSL is just as secure as SSH, since they both use RSA public key
> cryptography. I'm not an expert though, so you could very well be
> right, but last I heard, SSL wasn't going anywhere.
I was under the impression that SSL used 512 bit RSA keys, but it turns
out that I was wrong. The size of the key is variable in the protocol,
and it was the USA crypto export restriction that limited it to 512 bits.
This may be different now, but I am not sure exactly what changed in
the export rules recently.
512 bit RSA keys were cracked last year, which was why I thought that
SSL was less secure. You are right, it isn't.
Regards,
Dworkin
List config page: http://list.imaginary.com/mailman/listinfo/dgd
More information about the DGD
mailing list