Rahul Dhesi writes:
>A secure SSL-enabled web server:
> [ SSL web server ] ------- | ====== The Internet ====
>Here the firewall protects the SSL-enabled web server from all
>connection attempts except through port 443, and possibly port 80. The
Actually I prefer the model:
Put a web server on the exposed side of the net to handle port 80, and
public content - and arrange for it to be replicated from a safe machine
inside the firewall... and have it plug port 443 through to a web server
on the clean net. This SSL server can be configured to do nothing else
and if you really care, configure it to _require_ a client cert so only
authenticated connections are possible. This helps eliminate anonymous
hacking attempts on the ssl sever.
Of course there should still be another firewall between such servers and
the corporate network.
>data are passed on to the application. This makes SSL close to useless
>for serious security. Any intrusion into the machine running SSL
>immediately compromises the transaction.
Hmmm, if I can read memory on your system - what good is any form
of encryption? If I can write memory, you do not even have data
>final decryption is done inside the firewall. PGP fits the bill, SSL
Granted SSL is less than ideal, but it does exist and can be used.
PGP is not much use outside the US. as many corporations will not use
it due to license/export issues. Yes there is a version available outside
the U.S. but was it a clean room effort? There are no such issues with SSL.
Of course folk outside the U.S. are stuffed anyway, until a decent
non-U.S. based browser (not limited to 40bit RC4) comes along.
I don't think there is any interest in any govt anywhere to see this issue
solved to the satisfaction of net users though.