[cryptography] SSL is not "broken by design"

Andy Steingruebl andy at steingruebl.com
Mon Sep 19 13:01:48 EDT 2011


On Mon, Sep 19, 2011 at 9:42 AM, Marsh Ray <marsh at extendedsubset.com> wrote:
>
> I love SSH and think it's a great protocol. But to be honest, we have to
> admit that it would be far worse than SSL at the problem
> no-prior-relationship ecommerce bootstrapping problem.

Yes, it probably is worse at that.  That said, it did an amazing job
at stopping all of the passive password sniffing that went on when it
was first released.  Our compromised accounts where I worked at the
time went down insanely when we switched over to SSH for logins.
People at the time weren't performing MiTM attacks, they were "just"
sniffing, and SSH totally defeated that.

Was it a failure because it didn't solve bootstrapping perfectly, it
didn't have a perfect UI, etc?  Nope, it wasn't.  It was pretty
upfront about the types of errors that could occur.

- Andy



More information about the cryptography mailing list