View Single Post
Old 15th March 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

As we've discussed, only the data portion of HTTPS packets are encrypted. Everything else about them are plain-Jane TCP, with its own security issues. TCP has been subject to spoofed-packet attacks, for many years. See the ClientAliveCountMax and TCPKeepAlive sections in sshd_config(5) for a short description of TCP's limitations.
It is unfortunate, but there are some ...er...uhm... extremely popular operating systems which do not bother to randomize the Initial Sequence Numbers (ISNs) used during TCP session creation even though it is accepted knowledge that a priori knowledge makes TCP spoofing/injection/MitM attacks easier to deploy. See this discussion of modulate state in the PF User's Guide, for one way OpenBSD routers can provide those workstations and servers with a little bit of protection from themselves.
For SSL and TLS encryption and authentication, which may be used with HTTPS, there are varying crytographic methods that may be selected by the administrator when using either technology, and varying authentications that may be used, from complex end-to-end keys and certifications to none-at-all.
Can the various SSL or TLS cryptographic systems be broken? Maybe. Depending on how things are configured, poor authentication makes the crypto choice moot.

Are some crypto systems better than others?
That depends...what does the question mean? More secure? Better performance? Longer keys?
You've once again raised broad concerns, without specifics. You're going to have to get specific with your question(s) if you want any kind of specific answers.

Last edited by jggimi; 15th March 2009 at 12:37 AM.
Reply With Quote