NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: HTTP must die!

For a long time, I've wondered why SSL/TLS didn't have a null cipher suite as an nominally available option. That would permit server identification and HTTP payload authentication without the processing cost of encryption. It would also be useful for debugging. This quote makes me think that SSL won't do what I wish for:

"The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols will be transmitted securely. If there were no session before, then the Null cipher suite is used, which means there is no encryption and messages have no integrity digests until the session has been established." [http://www.modssl.org/docs/2.8/ssl_intro.html 2007-12-11]

And the openssl man page suggests to me that you can have encryption without authentication, but not the other way around (under cipher lists):
"eNULL, NULL
the "NULL" ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.

aNULL
the cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a ``man in the middle'' attack and so their use is normally discouraged."
[http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS 2007-12-11]

Am I misunderstanding SSL/TLS? Perhaps IPV6 security addresses this directly with the Authentication Header (http://www.tml.tkk.fi/Opinnot/Tik-110.551/1996/ahesp.html).

Kelly

Brett Glass wrote: 
At 03:41 AM 12/11/2007, Jens-Wolfhard Schicke wrote:

the last article on Lauren's blog surely makes a good point.

I disagree. Using HTTPS for everything would preclude caching. This, in turn, would drive ISPs' bandwidth costs (and, hence, the prices that end users pay for Internet access) up by about 30%, while dramatically degrading performance.

(Yes, we get a 30% byte hit rate on our cache -- and a 75% byte hit rate on some high demand sites like YouTube.)

--Brett Glass