Security Basics mailing list archives
Re: Encrypted or Not Encrypted
From: Roman Fulop <ml () ensof1 trithem sk>
Date: Thu, 18 Sep 2008 18:44:03 +0200
Browser will behave just like if you entered the secure url into address bar manually. The only difference is, that the request contains POST payload. If the site certificate is incorrect, browser will warn user before sending http request. R. Rob Wilcox wrote:
Yes, so the clients browser takes care of the SSL business on submit, riddle me this: So there is some certificate exchange that occurs w/o user interaction on submit of the login form, does the user ever get to inspect the certificate? I would like to assume that a mismatch would generate the normal error dialog alerting the user to possible MIM? -Rob On Wed, Sep 17, 2008 at 1:06 PM, Roman Fulop <ml () ensof1 trithem sk <mailto:ml () ensof1 trithem sk>> wrote: I totally don't understand this. Setting up a test page, firing up wireshark and testing it all took me about 3 minutes. Instead of reading rfcs, which evidently did not help you to get a correct answer. What happens: Client software renders the form. User enters the password and clicks submit. Client looks at the action parameter of the form element and eventually translates hostname to ip address. The action parameter also contains schema, which in this case would be https://, so it assumes target port would be 443. Then it initiates connection to target:443, tcp 3-way handshake and after establishing the tcp connection, according to schema, it initiates ssl handshake. To this point, no http traffic was sent! - only after ssl is set up. R. Douglas C. Duckworth wrote:
Current thread:
- Encrypted or Not Encrypted amatachick (Sep 11)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 12)
- Re: Encrypted or Not Encrypted Gregory Rubin (Sep 16)
- Re: Encrypted or Not Encrypted Garry Baker (Sep 12)
- RE: Encrypted or Not Encrypted Eifrém Strinnholm Jonas (Sep 12)
- Re: Encrypted or Not Encrypted Rob (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 16)
- RE: Encrypted or Not Encrypted Basha, Arif (Sep 16)
- Re: Encrypted or Not Encrypted Douglas C. Duckworth (Sep 17)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 18)
- Message not available
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 19)
- Re: Encrypted or Not Encrypted Rob (Sep 16)
- Re: Encrypted or Not Encrypted Roman Fulop (Sep 12)
- Re: Encrypted or Not Encrypted Rob (Sep 17)
- RE: Encrypted or Not Encrypted Boaz Shunami (Sep 17)
- RE: Encrypted or Not Encrypted Marco M. Morana (Sep 16)
- <Possible follow-ups>
- Re: Encrypted or Not Encrypted ab_e (Sep 12)
- Re: Encrypted or Not Encrypted krymson (Sep 12)
- Re: Encrypted or Not Encrypted robert (Sep 12)
- Re: Encrypted or Not Encrypted mike (Sep 16)
- Re: Encrypted or Not Encrypted amatachick (Sep 22)