Maybe It's Snake Oil All the Way Down
Eric Rescorla
ekr at rtfm.com
Mon Jun 2 12:14:07 PDT 2003
Ian Grigg <iang at systemics.com> writes:
> Eric Murray wrote:
> It may be that the SSL underlying code is
> perfect. But that the application is weak
> because the implementor didn't understand
> how to drive it; in which case, if he can
> roll his own, he may end up with a more
> secure overall package.
I don't think this is likely to be true. In my experience,
people who learn enough to design their own thing also learn
enough to be able to do SSL properly.
> > SSLv2, which was also designed by an
> > individual, also had major flaws. And that was the
> > second cut! I haven't seen v1, maybe Eric can
> > shed some light on how bad it was.
>
> [ Someone commented before that v1 was not deemed
> serious (Marc A?) and v2 was the more acceptable
> starting point (Weinsteins?). ]
That's not true as far as I know. V1 and V2 were designed
by the same guy (Kipp Hickman). V1 is actually very similar
to V2, except that the integrity stuff is all screwed up.
As far as I can tell, the fact of the matter is that Kipp
didn't understand the security issues until Abadi and
to some extent Schiffman sold them some clues.
> > Peer review is not "design by comittie".
>
> Let me clarify. SSL - the protocol - was not
> designed by committee, but, the size of the teams
> involved in the crypto systems was in excess of
> the people who were intimately familiar with the
> protocol. For the most familiar example, browsing,
> there were, it seems, many people involved in the
> overall grafting of SSL into the original HTML/HTTP
> system.
As far as I know, that's not the case. The original Netscape
team was very small and there really weren't any significant
choices to be made.
> > It is
> > the way to get strong protocols. When I have to roll my
> > own (usually because its working in a limited environment
> > and I don't have a choice)
> > I get it reviewed. The protocol designer usually misses
> > something in his own protocol.
>
> Sure. If someone does roll their own, then they
> should get it reviewed.
That's not my experience. WEP and PPTP come to mind.
> > > I'd say that conditions for Internet crypto system
> > > success would include:
> >
> > 0. USE EXISTING SECURITY PRIMITIVES
>
> :-)
>
> I know this is the mantra of the field.
>
> Quesion is: which PRIMITIVES?
>
> 1. RSA?
> 2. SSL, written from the RFC?
> 3. OpenSSL, the toolkit? EKR's fine effort?
> 4. RSADSI security consultants, selling you
> theirs?
> 5. ...
I would say the highest level primitives you can get away with.
> But, that assumes an awful lot. For a start,
> that it exists. SSL is touted as the answer
> to everything, but it seems to be a connection
> oriented protocol, which would make it less
> use for speech, media, mail, chat (?), by way
> of example.
SSL is quite fine for chat, actually. It's one of the
major things that people use for IM. The issue with
speech and media isn't connection-orientation but
rather datagram versus stream data.
> Then there is understanding, both of the
> protocol, and the project's needs. I know
> that when I'm in a big project and I come
> across a complex new requirement, often, it
> is an open question as to whether make or
> buy is the appropriate choice. I do know
> that 'make' will always teach me about the
> subject, and eventually, it will teach me
> which one to buy, or it will give me a
> system tuned to my needs.
The history of people who go this course suggests otherwise.
They generally get lousy solutions.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cypherpunks-legacy
mailing list