Announcing Droplets
shapj@us.ibm.com
shapj@us.ibm.com
Mon, 27 Sep 1999 09:27:01 -0400
By "web walker" I simply meant any program that performs link traversal.
SSL doesn't help unless there is also per-client access control. The problem is
that *any* client can get a connect to *any* server over SSL. SSL gives you
half-assed link encryption, but no restrictions are imposed on the server by
SSL. Given an SSL link, the client can still request any web page and the
server will still provide it unless some other access control mechanism is in
place.
So my question is: why can't I just point a web bot at your server, download all
of the pages, and thereby extract the values of the 128 bit keys?
Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595