Another entry in the internet security hall of shame....
Eric Rescorla
ekr at rtfm.com
Fri Aug 26 17:57:00 EDT 2005
Dave Howe <DaveHowe at gmx.co.uk> writes:
> Ian G wrote:
>> none of the above. Using SSL is the wrong tool
>> for the job.
> For the one task mentioned - transmitting the username/password pair
> to the server - TLS is completely appropriate. However, hash based
> verification would seem to be more secure, require no encryption
> overhead on the channel at all, and really connections and crypto
> should be primarily P2P (and not server relayed) anyhow.
Well, it's still attractive to have channel security in order to
prevent hijacking. (Insert usual material about channel bindings
here...)
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list