[cryptography] Repeated Encryptions Considered.... ?
nico at cryptonector.com
Tue Jun 21 17:26:12 EDT 2011
On Tue, Jun 21, 2011 at 4:14 PM, Ian G <iang at iang.org> wrote:
>> Why not send *all* your network traffic over TLS?
> The typical reasons for not using TLS would be (a) it's a stream-oriented
> point-to-point protocol, whereas most activity is app-level
> datagram-oriented, (b) it's too closely linked with PKI / x509
> implementations, which is too clumsy in many ways, and (c) it only delivers
> a relatively small subset of a fuller security model.
See also: DTLS (Datagram-oriented TLS) and the GSS-API, both of which
can handle datagram-oriented apps.
> further towards datagram programming than the pre-JS 1990s school. The
> temptation to throw out TLS is stronger as you get closer to the datagram,
> and as you do more of a full security analysis. )
Color me skeptical. With fast session resumption with stateless
servers HTTPS is really quite close to being as good as a datagram
oriented channel. And if there's still performance issues, let's
address those in TLS. Alternatively, what are the apps *not*
protecting if they use JS crypto?, and is that safe?, and in what
More information about the cryptography