Does SSL provide point-to-point security?

2019-07-04 05:09发布

According to the following quote, SSL provides point-to-point security:

Transport security is used to provide point-to-point security between the two endpoints (service and client). If there are intermediary systems between the client and the server, each intermediate point must forward the message over a new SSL connection.

a) What is meant by SSL providing point-to-point security?

b) Is SSL communication still possible between client and server, if intermediary system ( located between the client and the server ) forwards the message over a non-SSL connection?

c) Assuming it is possible ... I don't see why intermediary system forwarding messages over a non-SSL connection would provide less security, since messages are already encypted by original sender ( which is either client or server ) and thus can't be decrypted by an intermediary systems?

thank you

EDIT:

One limitation of transport security is that it relies on every “step” and participant in the network path having consistently configured security. In other words, if a message must travel through an intermediary before reaching its destination, there is no way to ensure that transport security has been enabled for the step after the intermediary (unless that interme- diary is fully controlled by the original service provider). If that security is not faithfully reproduced, the data may be compromised downstream. In addition, the intermediary itself must be trusted not to alter the message before continuing transfer. These considerations are especially important for services available via Internet-based routes, and typically less important for systems exposed and consumed within a corporate intranet.

Message security focuses on ensuring the integrity and privacy of individ- ual messages, without regard for the network. Through mechanisms such as encryption and signing via public and private keys, the message will be protected even if sent over an unprotected transport (such as plain HTTP).

标签: security ssl
2条回答
趁早两清
2楼-- · 2019-07-04 05:46

The messages are encrypted at the endpoints. The only way to have a non-SSL connection in the middle would be to emulate both endpoints somewhere in the middle, which would be extraordinarily difficult barring flaws in the SSL implementations on either of the endpoints.

查看更多
Bombasti
3楼-- · 2019-07-04 06:04

I think the context of that quote is different than you seem to be assuming; by 'intermediate system', I think that quote means a system that must access the message in the middle (intentionally or not)... not just a router, but something actually decrypting, viewing and/or modifying the message.

Therefore, because SSL is 'point to point', the above is actually not possible without another, separate connection being made.

查看更多
登录 后发表回答