Security Basics mailing list archives
Re: Encrypted or Not Encrypted
From: Roman Fulop <ml () ensof1 trithem sk>
Date: Wed, 17 Sep 2008 19:06:34 +0200
I totally don't understand this. Setting up a test page, firing up wireshark and testing it all took me about 3 minutes. Instead of reading rfcs, which evidently did not help you to get a correct answer. What happens: Client software renders the form. User enters the password and clicks submit. Client looks at the action parameter of the form element and eventually translates hostname to ip address. The action parameter also contains schema, which in this case would be https://, so it assumes target port would be 443. Then it initiates connection to target:443, tcp 3-way handshake and after establishing the tcp connection, according to schema, it initiates ssl handshake. To this point, no http traffic was sent! - only after ssl is set up. R. Douglas C. Duckworth wrote:
Basha, Arif wrote:I think Rob is talking about the difference similar to the two following sites: http://wachovia.com/ and https://onlineservices.wachovia.com/auth/AuthService?action=presentLogin&url=https%3a//onlineservices.wachovia.com/NASApp/NavApp/Titanium%3faction%3dreturnHome So if you enter the password on the first URL, is it secured on its way to the second URL, where the SSL handshake is initiated from? -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Douglas C. Duckworth Sent: Tuesday, September 16, 2008 12:36 PM To: Rob Cc: Eifrém Strinnholm Jonas; <amatachick () gmail com>; <security-basics () securityfocus com> Subject: Re: Encrypted or Not Encrypted If you connect with SSL, you perform the handshake first. Thereafter all data is encrypted. You don't send your password first. That would make no sense since the data is viewable as plain text. More information: http://www.schneier.com/paper-ssl.pdf Rob wrote:So how are the credentials protected in network transit to the secure site? The way you explain it, I see the creds being exposed on their way to the secure site. Optimally they should enter their creds after ssl has setup the secure session, not after.. What am I missing? Rob Sent from my iPhone On Sep 12, 2008, at 6:44 AM, Eifrém Strinnholm Jonas <Jonas.Eifrem () sweco se> wrote:Encrypted. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of amatachick () gmail com Sent: den 11 september 2008 20:25 To: security-basics () securityfocus com Subject: Encrypted or Not Encrypted I've run into this issue a few times now and would like to know what y'all think. Here is the situation: A website not using SSL has a login page. As soon as credentials are entered on this page they are redirected to a site using SSL. Here is a specific example of the code on one such site: <form name="loginpersonal" method="POST" action="https://secure.sitename.com/engine/login/login.asp" onSubmit="return checkLoginForm(this);"> <input type=hidden name=IsPostback value=1> Now, from what I understand, the login credentials would still be unencrypted while traveling to the secure site. So that would negate the effect of having it redirect to a secure site in the first place. Right? I keep brining up this fact but all I get back is that it's being redirected so it's secure. I feel like I'm taking crazy pills here so I'd appreciate some feedback. Am I wrong? If I am I can handle that, I'd just like to know. Thanks!I believe it's not. The handshake requires that the client initiate the SSL connection. Here's an RFC for TLS: http://tools.ietf.org/html/rfc2818 The agent acting as the HTTP client should also act as the TLS client. It should initiate a connection to the server on the appropriate port and then send the TLS ClientHello to begin the TLS handshake. When the TLS handshake has finished. The client may then initiate the first HTTP request. All HTTP data MUST be sent as TLS "application data". Normal HTTP behavior, including retained connections should be followed. When you do HTTP first you are actually connecting over the wrong port and also sending HTTP data before the handshake. You are doing the HTTP connection first. So perhaps after sending the password over insecure HTTP, the client is directed to HTTPS where data between server and client are encapsulated, but the initial password was not. Therefore one cannot sniff the data between the client and server after the handshake, but the initial password should be available as the SSL handshake was not completed before sending HTTP data. More on TLS: http://tools.ietf.org/html/rfc5246 The TLS Record Protocol is used for encapsulation of various higher- level protocols. One such encapsulated protocol, the TLS Handshake Protocol, allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data. So don't login unless it's https. Doug
Current thread:
- Encrypted or Not Encrypted amatachick (Sep 11)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 12)
- Re: Encrypted or Not Encrypted Gregory Rubin (Sep 16)
- Re: Encrypted or Not Encrypted Garry Baker (Sep 12)
- RE: Encrypted or Not Encrypted Eifrém Strinnholm Jonas (Sep 12)
- Re: Encrypted or Not Encrypted Rob (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 16)
- RE: Encrypted or Not Encrypted Basha, Arif (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 17)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 18)
- Message not available
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 19)
- Re: Encrypted or Not Encrypted Rob (Sep 16)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 12)
- Re: Encrypted or Not Encrypted Rob (Sep 17)
- RE: Encrypted or Not Encrypted Boaz Shunami (Sep 17)
- RE: Encrypted or Not Encrypted Marco M. Morana (Sep 16)
- <Possible follow-ups>
- Re: Encrypted or Not Encrypted ab_e (Sep 12)
- Re: Encrypted or Not Encrypted krymson (Sep 12)
- Re: Encrypted or Not Encrypted robert (Sep 12)
- Re: Encrypted or Not Encrypted mike (Sep 16)
- Re: Encrypted or Not Encrypted amatachick (Sep 22)