Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

General SSL Concepts


  • Please log in to reply
8 replies to this topic

#1 TailsAngel

TailsAngel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 10 January 2017 - 05:07 PM

Hello all, I am new to this site. I was just wondering if anyone could explain to me the basics of SSL, (https). 

 

1. I believe SSL is a type of certificate a website receives that proves who they say they are. Does this necessarily mean that the website is legit? Could the website still be using your information to steal your money or harm you? Or, is it generally safe to trust sites encrypted properly with https.

 

2. I know that if you are using a https connection, the data being transmitted from your browser to the server is hidden, and that your ISP and outsiders can not see your data. However, can someone else connected to your wifi/network be able to see the data that you are exchanging? For example, could my roomate be able to snoop the information? Also, can anyone on a public network, such as McDonalds or Xfinity public wifi, be able to snoop data, even if using https?

 

3. Lastly, how does SSL work? I know there is a public and private key, but I am not sure exactly where they are stored and how they work. Is SSL generally trusted?

 

Thanks to anyone willing to answer my questions, I look forward to being a part of this community.



BC AdBot (Login to Remove)

 


#2 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:11:38 PM

Posted 10 January 2017 - 05:18 PM

http://wildbill.nulldevice.net/presentations/sslpreso/
preso-figure3.gif


https://www.internetum.com/what-is-ssl-certificate-and-how-it-works/
https://www.sans.org/reading-room/whitepapers/protocols/ssl-tls-beginners-guide-1029
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 PM

Posted 10 January 2017 - 06:01 PM

1) SSL (and its successor TLS) is not a certificate. It is a secure communication protocol that uses certificates. When you trust https websites, you not only trust the technology, but also the processes implemented by certificate authorities (CA) to issue certificates. And it has happened that CAs have issued certificates to websites that most people here would not trust.

 

2) Generally no. But several conditions must be fulfilled to ensure confidentiality. For example, the connection must be end-to-end, without man-in-the-middle.

 

3) With server certificates, the private key is kept on the server endpoint. This can be in a file on the webserver, or in dedicated devices. Its confidentiality has to be preserved. As it name implies, the public key is not kept secret.


Edited by Didier Stevens, 10 January 2017 - 06:02 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 TailsAngel

TailsAngel
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:38 AM

Posted 10 January 2017 - 06:13 PM

1) SSL (and its successor TLS) is not a certificate. It is a secure communication protocol that uses certificates. When you trust https websites, you not only trust the technology, but also the processes implemented by certificate authorities (CA) to issue certificates. And it has happened that CAs have issued certificates to websites that most people here would not trust.

 

2) Generally no. But several conditions must be fulfilled to ensure confidentiality. For example, the connection must be end-to-end, without man-in-the-middle.

 

3) With server certificates, the private key is kept on the server endpoint. This can be in a file on the webserver, or in dedicated devices. Its confidentiality has to be preserved. As it name implies, the public key is not kept secret.

 

So https is the protocol that encrypts the data, that uses trusted certificates issued by a CA? To be granted certificates by trusted CA's, do they check your background information to make sure you are trusted, or is receiving such certificates as easy as applying and paying for them?



#5 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:11:38 PM

Posted 10 January 2017 - 06:21 PM

As Didier explained in answer 2.

Another misconception, is that https will hide the web sites URL your visiting. This is not the fact.

Let's say I goto https://duckduckgo.com/ and I want to search for "best porn sites" on the net.

The result is, https://duckduckgo.com/?q=best+porn+sites&t=hx&ia=web

While the data transferred between duckduckgo server is encrypted through SSL/TLS, the URL is visible to your ISP, and all routers through the Trace Router circuit to duckduckgo.

In 2008 there were over 3 000 000 of servers and websites that were using the SSL certificates, but according to the research conducted by the NetCraft company (www.netcraft.com) , only about 1/3 of them were found to be safe and reliable. Other SSL certificates did not have the proper cryptographic security level or were offered by unidentified publishers. https://www.internetum.com/what-is-ssl-certificate-and-how-it-works/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 PM

Posted 10 January 2017 - 06:27 PM

Yes, you can obtain certificates without any background checks. Also without paying: https://letsencrypt.org/

 

There are certificates that require some background checks: extended validation certificates. Some browsers use another color (green) to indicate these certificates.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:12:38 PM

Posted 12 January 2017 - 04:13 PM

......
Another misconception, is that https will hide the web sites URL your visiting. This is not the fact.

Let's say I goto https://duckduckgo.com/ and I want to search for "best porn sites" on the net.

The result is, https://duckduckgo.com/?q=best+porn+sites&t=hx&ia=web

While the data transferred between duckduckgo server is encrypted through SSL/TLS, the URL is visible to your ISP, and all routers through the Trace Router circuit to duckduckgo.

This statement is not entirely accurate.... The ISP will be able to see the IP address of the server that you are contacting, but not the actual URL.

the "/q=best+porn+sites&t=hx&ia=web" but would not be visible to the ISP

 

They would be able to see the server name (duckduckgo.com) through the DNS queries that your PC made before starting to actually contact the remote web server, but not through the transaction directly with the remote web server. In that transaction, the server name in encoded within the request header as is the part of the URL after the first "/". They are encrypted by TLS and sent to the IP address of the remote web server.

 

If that remote web server is a shared web server, your ISP would have no idea which site on that server you were accessing except ny tying up the preceding DNS query with the actual webpage retrieval.

 

As for trust... As has been said above, the green "Extended validation" certificate notification says that the issuer has verified that the person requesting the certificate has authority to represent the organisation named on the certificate. They do not normally examine their trustworthyness. without the green certificate notification, the requetor may only need to prove ownership of the Internet domain.

 

for example if I registered he domain x64sbank.com I could set up a website and buy a certificate just beacuse I had the domain. However the padlock woould not be green, and the certificate details would probably say 'domain validated' or something similar insetead of an organisation name. If I wanted the green padlock, I'd need to prove ownershiop of a company - say GeeksBank ltd. - I could send in the company reg documentaion paperwork for "GeeksBank ltd" which owned x64sbank.com and get a certificate to prove exactly that.

 

So Green Padlock - you know WHO you're talking to. normal padlock - you are talking to the Server name that you intended to (nobody has intercepted the traffic and substituted a false reply), but you have no idea who runs that server.

 

x64



#8 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:11:38 PM

Posted 12 January 2017 - 06:00 PM

This statement is not entirely accurate

Actually, you're correct, and in my haste to post I didn't explain it verbosely. A good example is https://stackoverflow.com/questions/499591/are-https-urls-encrypted/499595#499595

Hence, my final statement in context: In 2008 there were over 3,000,000 of servers and websites that were using the SSL certificates, but according to the research conducted by the NetCraft company (www.netcraft.com) , only about 1/3 of them were found to be safe and reliable.

And this sniffing/leak of HTTPS URLS.

Sniffing HTTPS URLS with malicious PAC files. https://www.contextis.com/resources/blog/leaking-https-urls-20-year-old-vulnerability/
WPAD Flaws Leak HTTPS URLs. https://threatpost.com/wpad-flaws-leak-https-urls/119582/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 PM

Posted 13 January 2017 - 02:16 PM

Correct, the path (http://www.example.com/path) is used inside the encrypted SSL/TLS channel (like GET path HTTP/1.1), and is thus not in cleartext.

 

Besides looking at DNS traffic to identify hostnames (www.example.com), I've observed other methods to do this.

 

1) Looking at the SSL/TLS handshake (that handshake is unencrypted). The Client Hello message will often contain a server_name extension, disclosing the hostname. The Certificate message will contain a subject, disclosing the hostname (or partial: example.com).

2) When the connection is tunneled through a proxy, the HTTP CONNECT command will contain a Hostname header (all in cleartext).

 

And now that I've taken a closer look at the diagram in #2, I'll remark that the cipher suite negotiation is done with the Client Hello and Server Hello messages. The key exchange depends on the selected cipher suite.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users