Wireshark · Ethereal-users: Re: [Ethereal-users] Web Site security (OT reply)

Ethereal-users: Re: [Ethereal-users] Web Site security (OT reply)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Thorsten Fischer <thorsten@xxxxxxxxxx>

Date: Mon, 28 Nov 2005 12:15:33 +0000

This is not related to using etheral, but I need to say it :) Granted,
my reply is off-topic, and maybe a little rant-ish.

alias alias wrote:
> My problem is that I'm trying to encrypt the user data on the client to make sure
> that the user data travels the internet encrypted without using SSL or
any other
> SSL-like mechanism. I think the code I've developed is working [...]

What is wrong with using SSL? Browsers and servers support it, and it works.

If you encrypt on the client side using your own code, then the client
must know the algorithm and more important: the key. If they are not
built into the client, both need to traverse the network in the clear
since there is obviously no encryption there in the first place.

But if I can sniff that from the wire then I will be able to decrypt the
traffic that I sniff afterwards, since I know the algorithm and the key.
 If I cannot sniff it, then there is no reason to encrypt it in the
first place.

It might be that you implemented public key cryptography, but I doubt
that you did, because then you could just as well have used SSL.

Also, proper cryptography is difficult to implement properly. I have
seen many 'encryption' mechanisms passed around in JavaScript and the
like, along with the 'secret' keys and nonces and what not. It never works.

Cheers

t

-- 
Thorsten Fischer
Information Security Consultant
IRM PLC

Tel: +44 (0)20 7808 6420
Fax: +44 (0)20 7808 6421

Information Risk Management Plc
8th floor, Kings Building
Smith Square
London
SW1P 3JJ

www.irmplc.com

The information contained in this email is privileged and confidential
and is intended only for the use of the addressee. Unauthorised
disclosure, copying or distribution of the contents is strictly
prohibited. Please reply immediately if you receive this email in error
and then immediately delete it from your system.

Where relevant, any quotation contained within this email is exclusive
of VAT at the current rate and valid for 30 days from the date of this
email. Information Risk Management Plc (IRM) does not authorise the
creation of contracts on its behalf by email. All information contained
within this email and its attachments are subject to IRM's standard
terms and conditions, a copy of which is available upon request.

All attachments have been scanned for viruses using regularly updated
programs. IRM cannot accept liability for any damage you incur as a
result of virus infection and we advise that you should carry out such
virus and other checks as you consider appropriate.

Follow-Ups:
- Re: [Ethereal-users] Web Site security (OT reply)
  - From: alias alias

References:
- [Ethereal-users] Web Site security
  - From: alias alias

Prev by Date: [Ethereal-users] Web Site security
Next by Date: [Ethereal-users] tethereal
Previous by thread: [Ethereal-users] Web Site security
Next by thread: Re: [Ethereal-users] Web Site security (OT reply)
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$