[IRC-DEV] Re: [PROTO-DESC] client<>server SSL
Jesus Cea Avion
jcea at argo.es
Fri Mar 5 19:12:38 CET 2004
> Some of the benchmarks that one of our coders did basically suggested
> that while the accual encryption wasnt a problem, the negotiation used
> too much CPU and would make for an easy DOS. What are you people
> thinking?
I'm worried about proliferation of SSL enabled clients that don't verify
server certificates. They only gives a false sense of security.
Nowaday a client establishes a secure connection but it don't verify to
whom it is talking. It could be cheated trivially using a intermixed
proxy, for example. Something fairly common in Spain, where millions of
ADSLs live behind national Telco "transparent proxies". Not nice.
I feel that (false sense of) "security" worse that no crypt at all.
PS: I feel SSL is overkill for IRC, BTW. But that is another battle.
--
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea at argo.es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/
_/_/ _/_/ _/_/_/_/_/
PGP Key Available at KeyServ _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
More information about the IRC-Dev
mailing list