Archive of UserLand's first discussion group, started October 5, 1998.

Re: What's the deal with Third Voice?

Author:Paul Snively
Posted:9/30/1999; 10:11:03 AM
Topic:Windows apps on Linux: the real reason
Msg #:11651 (In response to 11576)
Prev/Next:11650 / 11652

Wesley Felter wrote:

OK, I'll take you up on this. What's your proposal on how to implement a non-annotatable Web site using open protocols? You get to design the protocol if you want, but it has to be openly documented. (I assume that's what you're talking about; please correct me if I'm wrong.)

You're entirely correct. However, I'm not sure I'm willing to go so far as to say "non-annotatable Web site" (which I don't think is possible in the general case, or even desirable). I am willing to say "let's guarantee that the person browsing the site is the person who registered to do so, assuming that the organization administering the server is willing to guarantee its physical security and the organization administering the browsing machine is willing to guarantee its physical security."

My first question is specific to proxy servers, and that is: why doesn't SSL trivially solve the problem? The site's home page consists of a redirect to the same URL but with https://... instead of http. Any proxy server between the browser and server sees gobbledygook. Any proxy server that tries to be clever and do the SSL handshaking to the server on the backend and to the browser on the front end will be faced with the task of counterfeiting the server's certificate so that the browser will still appear to be talking directly to the server.

Going beyond the specific case to some of the more general issues raised by, e.g. Jeremy Bowers, there's now a whole class of standards-based security systems to help with the construction of fully authenticated/enciphered TCP/IP communication. The standard is called IPSEC, and is implemented both by a variety of commercial systems and a few Open Source ones, such as Linux Free S/WAN, which can be found at <http://www.xs4all.nl/~freeswan/>. Such systems go beyond SSL and offer key exchange protocols, generally based these days on Diffie-Hellman, but Diffie-Hellman is susceptible to man-in-the-middle attack (exactly the problem that proxy servers introduce), so one should really only use such systems in the presence of, e.g. Secure DNS as implemented in BIND versions 8.2 and later.

I read Shapiro's dissertation and the erights site and I have written a Web server before, so hopefully that makes me qualified to understand your solution.

I suggest you visit <http://www.waterken.com> and follow the links to the Beach Sex demo to give that a spin. I'm a big fan of capability-based security and would like to see it spread. What Waterken (Tyler Close) has done is to combine the use of SSL with the use of "swiss numbers" in the URL: to gain access to a particular page, you'd have to correctly guess a number larger than the number of grains of sand on the earth. Connect the URLs to active content (Java Servlets in Waterken's case) and a database, and voila': a capability-based secure system. This is what I know could be trivially reimplemented in Frontier.

Anyway, Wesley, thanks for your response--it was exactly the sort I was hoping for. I'd like to suggest that we continue via e-mail, as the likely back-and-forth has little or nothing to do with Third Voice or any of the other topics under this heading here. Besides, I promised Dave I'd shut up. ;-)

Many thanks,
Paul Snively
<psnively@earthlink.net>




This page was archived on 6/13/2001; 4:52:54 PM.

© Copyright 1998-2001 UserLand Software, Inc.