Re: Idea for making SSL more efficient

["Kurt Seifried" <bt () seifried org>]

Highly flawed, requires HUGE changes to proxy software, and to client
software, which will never happen, even assuming it does there's still
several potential avenues of attack. My advice: buy an SSL accelerator like
everyone else does, you can get them as cheap as 100$ or so now for a PCI
card.


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

----- Original Message ----- 
From: "Paul Johnston" <paul () westpoint ltd uk>
To: <webappsec () securityfocus com>
Sent: Thursday, July 15, 2004 2:12 AM
Subject: Idea for making SSL more efficient


> Hi,
>
> A disadvantage with SSL is that it places increased load on the server,
> in particular because client's ISP caches cannot be used. In most
> situations the images on an SSL site are not confidential. If they are
> included as HTTP links then the browser will display a "mixture of
> secure and insecure content" warning. That is sensible, because an
> attacker could potentially manipulate the images to deceive the user.
>
> My idea is to include a MD5 hash of the image in the img tag, so in an
> https page you could do <img src="http://x.y.z/a.png"; md5="xyz789"/> to
> reference an HTTP image. Images protected by these integrity checks
> would then not cause a browser warning.
>
> I expect roll-out would not be easy, and also there may be concerns
> about infering what is on the SSL page from what images are requested
> (e.g. whether "overdrawn.png" gets requested).
>
> Anyone got thoughts on this?
>
> Paul
>
> -- 
> Paul Johnston
> Internet Security Specialist
> Westpoint Limited
> Albion Wharf, 19 Albion Street,
> Manchester, M1 5LN
> England
> Tel: +44 (0)161 237 1028
> Fax: +44 (0)161 237 1031
> email: paul () westpoint ltd uk
> web: www.westpoint.ltd.uk