[IRC-DEV] Re: [PROTO-DESC] client<>server SSL

Jesus Cea Avion jcea at argo.es
Fri Mar 5 19:12:38 CET 2004

> Some of the benchmarks that one of our coders did basically suggested
> that while the accual encryption wasnt a problem, the negotiation used
> too much CPU and would make for an easy DOS.  What are you people
> thinking?

I'm worried about proliferation of SSL enabled clients that don't verify
server certificates. They only gives a false sense of security.

Nowaday a client establishes a secure connection but it don't verify to
whom it is talking. It could be cheated trivially using a intermixed
proxy, for example. Something fairly common in Spain, where millions of
ADSLs live behind national Telco "transparent proxies". Not nice.

I feel that (false sense of) "security" worse that no crypt at all.

PS: I feel SSL is overkill for IRC, BTW. But that is another battle.

Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
                                      _/_/    _/_/          _/_/_/_/_/
PGP Key Available at KeyServ   _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz

More information about the IRC-Dev mailing list