[LINK] Filter to cause World Wide Wait

Richard Chirgwin rchirgwin at ozemail.com.au
Thu Oct 30 20:06:53 EST 2008


Scott Howard wrote:
> On Wed, Oct 29, 2008 at 10:23 PM, Richard Chirgwin <rchirgwin at ozemail.com.au
>   
>> wrote:
>>     
>
>   
>> <evil grin>
>> Wasn't I just being told something about encryption and the Internet and
>> security of votes and ... (just joking)
>> </evil grin>
>>     
>
>
> (Yes, I know you're just joking, but...)
>
> The thing that people often forget is that decrypting SSL sessions is
> trivial - after all, your browser does it!
>
> SSL (as it's used in 99.99% of websites) doesn't have any safeguards against
> your traffic being decrypted, it just has functionality that if someone does
> decrypt your traffic the client will know about it (presuming you haven't
> installed the interceptors certificate), although the server will not.
>
> One would hope that for something like sending voting information over the
> internet they would pick a more relevant form of encryption...
>
>   Scott.i
>   
OK, let's follow this through ... 

1) As I understand it, SSL uses asymmetric keys to authentication and a
symmetric key for data exchange. Please correct me if I'm wrong.

2) SSL is session-based, by which I mean that it's supposed to be
(relatively) sensitive to MITM attacks. If you interrupt the session,
it's gone. Again, CMIIW.

3) If packets in the session are intercepted, you still need the shared
key to decrypt the data, or you apply a brute-force attack. But a
brute-force attack in real time isn't feasible (it's fine if you have
time to decrypt later, but that's not real time). Again, CMIIW.

Now ... browsers can do cryptography because frankly, encryption /
decryption isn't very complex. You take data, do the maths, out comes an
encrypted message. We did cryptography long before we had huge computer
power. The security of the keys is the, ahem, key. Assuming a reasonably
strong shared key, what is the mechanism by which a filter can
supposedly take an arbitrary packet, say "this data is encrypted",
decrypt it and say "this is naughty"?

RC


More information about the Link mailing list