[Box Backup] Experiences with modification for unencrypted client-server communication

Leif Linderstam ell2 at live.se
Fri Mar 18 21:56:08 GMT 2011


Hi Chris,

> Are you aware that removing the SSL layer also removes the ability for the
> server to verify the client's ID, which would allow any client to
> impersonate any other signed by the same CA?

Yes, I am aware of that, but this is a home network and all machines on it
are trusted not to behave that way. Through the VPN tunnel the remote box
becomes part of my home network and is almost invisible to the rest of the
world.

> Agreed about the speed issue. I'm not persuaded about the value of
> removing TLS encryption, versus the potential security risk. Perhaps
> configuring TLS to use a null cipher, and signing packets for
> authentication, might still be more secure than a completely unencrypted
> connection?

I would not use non-encrypted communication over the Internet, or any other
not entirely trusted network for that matter. Nevertheless I also have come
to the conclusion that there is not enough value in being able to remove
encryption. Mostly because of the added complexity.

> Did you consider using a plain SocketStream instead of a SocketStreamTLS?

That would be the proper way of doing it, yes. But I was looking for the
quickest way to turn off encryption for the main bulk of data. Additionally
the server logic uses the certificate that I guess it receives from the
client to extract the "name" of the client, which in turn is used to
associate the session with the right account. Using SocketStream directly
would have meant adding a corresponding handshake as well.

> SocketStream should hide the details of whether the underlying socket is
> blocking or not, so this might be a bug in the applications using
> SocketStreamTLS, but probably not one that I'd be inclined to investigate
> for the above reasons.

No, of course not. Do not waste any time on this. I just wrote the mail to
share my experiences if someone was interested. If my memory serves me
someone has previously asked about this sort of thing but I cannot find it
at the moment.

Cheers,
Leif

 		 	   		  


More information about the Boxbackup mailing list