Re: "Secure Socket Layer" protocol (NYT Article)
Rens Troost (rens@imsi.com)
Tue, 24 Jan 1995 11:34:40 -0500
> Richard Sez:
>
> There's a protocol being touted by Netcape Communications Corportation
> (formerly Mosaic Communications Corportation) which is supposedly strong
> enough to conduct commerce over. It's description is in a document with
> all the RFC-bound trappings, located on http://www.mcom.com/someplace.
http://www.mcom.com/info/SSL.htm
> I'm not a member of the Brainiac Protocol Busters Club, but the protocol
> looks pretty good to me. In lieu of the IETF protocol, has anybody
> spotted flaws in the SSL ? It's up and working now, apparently.
SSL is a perfectly fine session-level encryption protocol; It layers
conceptually on top of TCP and under (ftp, http, whatever) and
provides support for a number of different block and stream encryption
methods.
It does have a few problems:
1> It's yet another standard to do this, and is only
implemented currently in netscape.
2> The authentication and encryption are associated with
the session/connection, and not with the transported data.
this makes it useless when a proxy is involved.
3> It looks like S-HTTP is going to be the standard and not
SSL. S-HTTP is also available now.
4> The spec author (kipp@warp.mcom.com) does not seem to have
time to help others implement SSL, and there is no
mailing list as yet.
But, on the other hand, it's a perfectly good design for doing what it
does, and it is deployed in the netscape and netsite software.
-Rens