Secure connections: how secure are they?

*QUOTE*

......... both useful and malicious information can be transmitted via network
connections. Standard solutions protect computers against threats present in
standard network connections, but aren't able to counter threats present in
secure connections. Verifying the contents of a secure connection is
impossible by virtue of its secure nature, as demonstrated by the different
types of protection listed above. As a result, malicious data within secure
channels can cause a significant amount of damage, and sometimes more than if
it were to be transmitted via a standard, non-secure connection.

The fact that it's easy to encrypt a network channel and the fact that in most
cases there will be no verification of who created the file results in a
contradictory situation: a "secure connection" to a server provides the user
with a feeling of security, but does not guarantee that the connection will be
free from malicious data.

http://www.viruslist.com/en/analysis?pubid=204791929

*UNQUOTE*

Alan



0
alan
3/17/2007 5:57:20 AM
📁 grc.security
📃 16608 articles.
⭐ 3 followers.

💬 7 Replies
👁️‍🗨️ 2219 Views

On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote:

> a "secure connection"
This is nothing more than a misleading phraze.
The HTTPS connection should be called "the encrypted [and authenticated]  
connection".
It is just that - an encrypted but not any securier than the non-encrypted.

Somebody (an illiterate journalist, as usual) has invented this phraze and  
unfortunatelly it became widely [mis]used...

Tony.

-- 
Properly read, the bible is the most potent force for atheism ever  
conceived.
0
Anthony
3/17/2007 10:29:46 AM
On Sat, 17 Mar 2007 in grc.security, Anthony OZ wrote
>On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote:
>
>> a "secure connection"
>This is nothing more than a misleading phraze.
>The HTTPS connection should be called "the encrypted [and 
>authenticated]  connection".
>It is just that - an encrypted but not any securier than the non-encrypted.
>
>Somebody (an illiterate journalist, as usual) has invented this phraze 
>and  unfortunatelly it became widely [mis]used...

And IIRC it's relatively easy for a network admin to set up an 
undetectable Man In The Middle attack that would let them see all the 
traffic unencrypted even though it was encrypted at both ends.
-- 
GRC Newsgroups/Guidelines/No Regrets:
http://www.imilly.com/noregrets.htm
 From invalid, Reply To works.
Kevin A.
0
Kevin
3/17/2007 10:45:13 AM
On Sat, 17 Mar 2007 13:45:13 +0300, Kevin A. <svwdun902@sneakemail.com>  
wrote:

> ...it's relatively easy for a network admin to set up an undetectable  
> Man In The Middle attack that would let them see all the traffic  
> unencrypted even though it was encrypted at both ends.
You should have started it with: "Provided an admin has the control over a  
client's machine and a client is dumb enough...".

With a decent browser|e-mail it is not that easy for a malicious admin  
(I'm not talking about root-kits totally subverting what a user sees via a  
GUI.).

Unlike IEv7 (where I could not find a way to see the selected cipher and  
the key length for a given HTTPS session) Opera gives you the complete  
info about all the details involved in the protecting of your current  
HTTPS connection.

Tony.

-- 
Properly read, the bible is the most potent force for atheism ever  
conceived.
0
Anthony
3/17/2007 11:10:34 AM
On Sat, 17 Mar 2007 13:29:46 +0300, Anthony OZ sent:

> This is nothing more than a misleading phraze. The HTTPS connection
> should be called "the encrypted [and authenticated] connection". It is
> just that - an encrypted but not any securier than the non-encrypted.

I would disagree.  My kept-private conversation with someone *is* secure.
Certainly in compared to having an open conversation where others can hear
what we're saying.

Of course there's no guarantees about what use might be made of the
information, afterwards.

> Somebody (an illiterate journalist, as usual) has invented this phraze and
> unfortunatelly it became widely [mis]used...

More likely whoever came up with "HTTPS" (Hyper Text Transfer Protocol
Secured).  Which is different than "S-HTTP" (Secure Hyper Text Transfer
Protocol).  A journo didn't name it HTTPS.


-- 

This message was sent without a virus, please destroy some files yourself.

0
Tim
3/18/2007 5:50:22 AM
Kevin A. wrote:
> On Sat, 17 Mar 2007 in grc.security, Anthony OZ wrote
>>On Sat, 17 Mar 2007 08:57:20 +0300, alan <me@404.net> wrote:
>>
>>> a "secure connection"
>>This is nothing more than a misleading phraze.
>>The HTTPS connection should be called "the encrypted [and
>>authenticated]  connection".
>>It is just that - an encrypted but not any securier than the
>>non-encrypted.
>>
>>Somebody (an illiterate journalist, as usual) has invented this phraze
>>and  unfortunatelly it became widely [mis]used...
> 
> And IIRC it's relatively easy for a network admin to set up an
> undetectable Man In The Middle attack that would let them see all the
> traffic unencrypted even though it was encrypted at both ends.

FWIW, the admin would have to be more than just the "network" admin. They
would also have to be the local system administrator (or the Domain
administrator, in a thinish-client setup) in order to install locally
controlled root keys at the local endpoints.

Regards,
Sam
0
Sam
3/18/2007 6:00:29 AM
On Sun, 18 Mar 2007 08:50:22 +0300, Tim <tim@mail.localhost.invalid> wrote:

> I would disagree.  My kept-private conversation with someone *is* secure.
Something "secured" is "secure", your private conversation is just  
"private".

For me - "security" is "absence of threats and dangers".
The "privacy" in itself does NOT prevent the second party from causing you  
all sorts of troubles.

Tony.

-- 
Properly read, the bible is the most potent force for atheism ever  
conceived.
0
Anthony
3/18/2007 11:51:15 AM
Anthony OZ wrote:
> On Sun, 18 Mar 2007 08:50:22 +0300, Tim <tim@mail.localhost.invalid> wrote:
> 
>> I would disagree.  My kept-private conversation with someone *is* secure.
> Something "secured" is "secure", your private conversation is just 
> "private".
> 
> For me - "security" is "absence of threats and dangers".

So nothing ever will be secure. What have we done to be condemned to 
existence on an imperfect world?

> The "privacy" in itself does NOT prevent the second party from causing 
> you all sorts of troubles.

As long as wet-ware is involved troubles are always lurking on the horizon.

"Privacy" is the closest we can come to "safety" so it is not a bad goal 
  even if it doesn't mean complete security.

> 
> Tony.
> 
> --Properly read, the bible is the most potent force for atheism ever 
> conceived.
0
Dave
3/18/2007 9:27:06 PM
Reply: