On Fri, 07 Apr 2006 18:45:09 -0700, Todd and Margo Chester wrote:

> Hi All,
>
> A customer has asked me to set up a secure web site
> for all his road warriors to access a database (sugar CRM via Apache).
> He has asked me this because I have set him up several Linux servers in
> his company, including their firewall.
>
> The working of https have me baffled. How in
> the world can you set up a secure connection, if you do not have a
> "secret" key at both ends that the bad guys are not aware of?
>
> Seems to me that all the bad guys have to do is
> to watch you log on to an https (monitor your traffic) and they would
> know everything about how to duplicate your log on.
>
> The idea behind the customer's request is that
> he only wants his road warriors to access the site and only with
> encryption.
>
> Can someone point me to a explanation of how https
> works? Is https the correct route to go?
>
> Many thanks,
> --Todd

Hi Todd.
I am not unsympathetic to your issue, and not insensitive to the concerns
you obviously have. All is not lost, as it seems that you - at least - do
have an opportunity for truly and reasonably strong secure communications.
First, background from google:

http://www.google.com/search?q=encrypt+diffie

Crypto-Politics: Decoding the New Encryption Standard Diffie and Landau
recount the history of government policy on encryption. It is a story of
repeated attempts to limit public access to strong cryptography. ...
research.sun.com/features/encryption/ - 31k

RSA Security - 3.6.1 What is Diffie-Hellman? The Diffie-Hellman key
agreement protocol (also called exponential key ... The Diffie-Hellman key
exchange is vulnerable to a man-in-the-middle attack. ...
www.rsasecurity.com/rsalabs/node.asp?id=2248 - 18k

The NetIP Security Resource - Diffie-Helman Article Diffie-Hellman is not
an encryption mechanism as we normally think of them in ... Figure4
Encrypted Data Transmission. The use of Diffie-Hellman greatly ...
www.netip.com/articles/keith/diffie-helman.htm - 32k

... You get the idea. ...

Unfortunately, I am not the expert. Before we as a community can
collectively establish a general solution to a security problem, we need
to first be able to reach consensus agreement on the definition of what
that security problem is.

But first, as I am sure you may already know, virtually 100% of all
on-line purchases and other cash transactions do indeed take place under
the shadow of the concerns that you have voiced. These amount to ___
billions of dollars annually. Fill in your own researched statistics.
(Thanks!)

And here are a few anecdotes:

I use several ISP's (Internet Service Providers). One of my ISP's, (that
I did not choose and would not have chosen) had an extraordinarily high
level of unsolicited and critically hostile unsolicited traffic. I have
several measures in place to protect my systems and to selectively notify
the "abuse" departments of problem issues. My systems were indeed
protected and the offending ISP('s) were indeed properly notified, and
most indeed responded with e-mail assurances that the issues would be
investigated and corrected. But the abuse from this one ISP continued
unabated. I made several telephone calls, - at least half a dozen. And
the representatives of this ISP presented me with consecutive evasions,
delays and outright open and offensive hostility. Persisting, I finally
connected with a nice (young?) lady, who seemed slightly perplexed by the
issues and the (CRM) history of all my calls. I explained some of my
concerns with botnets, dDoS's, organized crime and terrorism to her, and
seemed to connect. The attacks have not completely stopped, but perhaps
they are at least coming from different IP addresses via DHCP. That issue
is not completely gone, but it is improved. Thanks (sincere thanks) to
that one lady. The lesson here is that it is not simply enough to be able
to recognize the vectors of attack, but to also have the resolve to
neutralize those vectors. Minor, perhaps. But a good example and case in
point of the stonewalls that we face in asking for and receiving secure
internet service.

Another anecdote involves a third-party account of criminal activity that
gained access to private network data via a backdoor that was established
to allow law-enforcement authorities to trace (some?) (supposedly,
allegedly) questionable communications. The crime would not have been
possible without the "official" demand for backdoor access to "secure"
internet communications.

And the third story is about MITM. If an ISP is threatened and
intimidated by anyone as formidable as the United States Department of
Justice, to allow it to place MITM software on a server or router, who
would dare say no? Who would dare question them about security? But the
DOJ, the DOD and virtually every other US Government system has been
repeatedly "broken into", so they say. So anything the DOJ, etc., has, is
freely available to crackers, criminals and organized crime. -- Very,
very bad. No emoticon appropriate to torture and indefinite, warrentless
imprisonment. No checks and balances. No Judicial review. No
Congressional review. Use your own sense of History, please, to draw any
appropriate parallels. Thank you.

Yet we are (legally????) prevented and forbidden from (technologically
feasible) detection of the locations of the MITM vectors, established by
the US Government, and increasingly by Governments in countries on other
continents.

It is not at all impossible to detect and remove MITM nodes, except for
the constraints of governments that are "protecting us". Without that,
the community could deal with this.

The bottom line here is that as long as "Government" can authorize and
demand warrentless searches of any and everything, then it must be assumed
that everything on the internet is open to organized crime, and worse, if
worse exists.

The good news is that there is a ready, viable effective solution to your
particular (and very valid) issue. Generate encryption keys for all your
road warriors. -- Not the same keys, but different keys for each warrior.
You can use lesser protection for intermediate usage during the
change-over. But give each warrior (personally place in his/her hand or
install onto his/her notebook) his/her own key set. When that man
or woman goes over the edge, loses the notebook, sells out, etc., Only
that single key is compromised. They can then each connect via an
encrypted channel that is _not_ subject to MITM attack, and you can set up
whatever HTTP pages for them that you need.

I am not the expert but believe this is correct. Perhaps someone more
knowledgeable will add or supplement, or even say where this is wrong. If
this can help you then It is well worth my effort to me, and I hope at
some point that you will share the benefits of your experience with the
rest of us. I would help with research if that could be important.

Usually, on group conversations are most appropriate. E-mail me if
necessary.

colloquy_no_9 (at) mailingaddress.org

I wish you very good success, sir and madame. All good fortune to you.