|
Posted by Steven L Umbach on October 4, 2005, 12:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
The encryption itself is strong and SSL is used every day by tens of
millions of users. But when you add that "someone who has complete control
of their servers", it would depend on if that user is malicious or not and
able to get access to the data after it has been decrypted. Keep in mind
that in a reverse proxy configuration that the user is actually making the
ssl connection to the proxy server which then communicates with the web
server which could be either http or https as is that possibility with ISA.
One would expect that the data would be encrypted all the way to the web
server and hopefully protected by ipsec also. Having said that anyone who
uses ssl has to have some trust in the organization that they are using it
with. When I go to Schwab.com I have no idea how well they have everything
secured though I know that they know that if they had a compromise it would
be devastating to their business.
Personally I feel better using ssl to a known legitimate website than
handing my charge card to the clerk behind the counter at the convenience
store. You have to assess the level of risk and put a value on what would
happen if the users data was captured or compromised. If your users are
accessing trade secrets, top secret projects, or CIA informant lists I would
look at a solution like using l2tp VPN and then ipsec from the VPN server to
the server they are trying to access which would then be physically secured.
That would prevent man in the middle, session hijacking, or replay attacks
if implemented correctly. SSL itself is not so vulnerable to cracking but
malicious users can trick a user by rerouting their access to a bogus
webserver using bogus dns records/host file and then get the user to accept
the entrusted certificate which amazingly the majority will gladly accept.
I guess that should not be surprising as users look at all the health
warnings on a pack of cigarettes and light up. --- Steve
> This is a question about how secure encryption is.
>
> I've allowed several users to install LogMeIn (web based remote access
> tool. I suppose it's similar to GoToMyPC.) on their local computers. I
> have one particular question about the security of their connection (which
> uses 128 or 256 bit encryption & SSL & proxy servers.);
>
> Would it be at all possible for someone who has complete control of their
> servers to intercept and read the encrypted packets between client PCs
> (for example by cracking the passwords)?
>
> I assume they it's virtually impossible. But someone brought it up at the
> office and I'm not able to clearly and definitively prove them wrong.
>
> Thanks,
>
> BobK
>
>
| 
XML site map