Anybody know how https *really* works? I didn't think so - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Anybody know how https *really* works? I didn't think so

["Followup-To:" header set to alt.computer.security.]
...
Quoted text here. Click to load it
Your system contacts Z and asks for a public key. It then checks the
signing authority of that public key against the set of signing
authorities it has in its list. If it checks out, it then uses Z's
public key to encrypt a random symmentric key, and encrypts the message with
that symmetric key, and sends the encrypted symmetric key and the
encrypted message out.
Thus any S would need to know Z's private key,  

Now, if S could act as  a man in the middle, and persuade  your machine
that S's public key is really Z's public key, then of course S could
read your transmission. That is prevented by the "web of trust" -- the
fact that you trust the signing authority who stated that Z's key really
was Z's key. Of course if you do not have the signing authority's public
key in your system or S has persuaded you (or your distro) to put a bogus public
key for
that signing authority into your system, the game is up.
Quoted text here. Click to load it
So no, without a lot of work, intermediate machines cannot read your SSL
stuff sent to Z, or you ignored the warning from your browser that it
did not know the signing authority for the key you are using.

Quoted text here. Click to load it

Re: Anybody know how https *really* works? I didn't think so

RayLopez99 wrote:
Quoted text here. Click to load it

Yes, that's correct - because C used S's URL, not Z's.

Quoted text here. Click to load it

The protocol doesn't decrypt as soon as soon as it reaches _any_ server,
only when it reaches _the_ server addressed in the URL.

Re: Anybody know how https *really* works? I didn't think so


Quoted text here. Click to load it

My same question to you as to FromTheRafters (repeated below).  I
don't see how--even accepting your explanation--if C uses Z's URL this
can happen--unless, C uses S's URL rather than Z 'without knowing
it' (that is, it is substituted by either the program or by the HTTPS
public key mechanism itself unknown to C).  Does this 'unknown' use
happen in practice?  Is this the infamous "Cross-site scripting (XSS)"
attack?  Is this how S becomes Z?

RL

Quoted text here. Click to load it

Thanks.  OK, but who sets up the 'new keys', 'new relationships'?  It
has to be done by somebody using new SSL certificates, not the
original one used by C?

Here is where I'm going:  C wants to send to Z.  It types in Z's URL
using an SSL certificate.  By the nature of the internet, inbetween C
and Z there are always other servers that act as relays, call one of
them 'S'.  Is it possible for them to use 'new keys', 'new
relationships' that would compromise the message from C to Z?  Unknown
to C?  I don't think so--or I can't see how.  That is, C would have to
send a message to 'S', not 'Z'.  But at that point, we are arguing
over semantics--'S' now *is* 'Z'!  Of course if S wants to send to Z,
that will mean S can read the message--but that's just plain stupid
semantics.

Please explain if it's possible for C to send to Z, then, if there's
an intermediate SOAP server S, unknown to C (maybe not unknown, but
perhaps unsuspected for a security risk) whether S can decrypt the
message if C has typed in Z's URL.  Unless--and maybe this is
possible--C types in Z's URL but the program--behind the scenes--
changes Z's URL to S!  Why would it do that--can it do that?


RL

Re: Anybody know how https *really* works? I didn't think so

RayLopez99 wrote:
Quoted text here. Click to load it

The answer is still no!

Re: Anybody know how https *really* works? I didn't think so

Quoted text here. Click to load it

Why?  See my question to Unruh. Don't crap out now Jason, we are close
to the finish line and you've come so far!  Future readers of this
thread, and it's novel as I've not seen this topic elsewhere, will
wonder what the answer is.

RL

keywords:  SSL does not work, SSL does not encrypt,  SSL is not safe,
TLS does not work, TLS is not safe, TLS does not encrypt, message
security not 100% not complete not guaranteed with SSL or TLS, people
can read your messages with SSL certificate or TLS certificates.


Re: Anybody know how https *really* works? I didn't think so

Quoted text here. Click to load it

Further, Microsoft says that S can decrypt the message.  Why do they
say that?  Is this a case where a "mashup" is involved, where C and/or
Z has given permission to S to decrypt? If so, that solves the
riddle.  But if S can routinely decrypt, then it's a mystery.

RL

Re: Anybody know how https *really* works? I didn't think so

On Sat, 30 Oct 2010 14:02:58 -0700 (PDT), RayLopez99 wrote:

Quoted text here. Click to load it

Outside of being an assclown, you're a liar too. How's that working
for you in this thread? lol
--
Passwords, people, they are not just for game shows. If you refuse to
make the effort to remember a few long, diverse passwords, then don't
scream at me when your FICO is 496 and your bank accounts are zeroed
out.

Re: Anybody know how https *really* works? I didn't think so

wrote:

Quoted text here. Click to load it

Here's
a reference for you to 'bone up' on, bonehead: (http://
msdn.microsoft.com/en-us/library/ms733137%28VS.90%29.aspxEnd-to-end
security. A secure transport, such as Secure Sockets Layer (SSL)
works
only when the communication is point-to-point. If the message is
routed to one or more SOAP intermediaries before reaching the
ultimate
receiver, the message itself is not protected once an intermediary
reads it from the wire. "

EXPLAIN WHY MESSAGE IS NOT PROTECTED ONCE AN INTERMEDIARY SOAP IS
PRESENT, DOPE.

Ball is in your court.  Cowardice and evasion noted.

RL

Re: Anybody know how https *really* works? I didn't think so

Quoted text here. Click to load it

YOu are making the assumption that all people at microsoft.com know what
they are talking about. That assumption need not be a good one. That is
another possibility you seem to be avoiding.
Also, a SOAP is a machine which is supposed to make changes to a
document. In order to do so, it MUST be able toread and change the
document. Thus if you are using ssl, the link must be from the original
machine to the intermediary which must be able to decrypt the message.
THe original must therefor sent the message to the SAOP intermiary
encrypted with the intermediary's public key protocol.

That is how I read it.


Quoted text here. Click to load it

Re: Anybody know how https *really* works? I didn't think so

Quoted text here. Click to load it

Yes, Transport Layer Security is like the two cans and a string in a
point-to-point communications link. You want to protect from anyone
tapping the string getting your data while still having the users
understand one another. It is about the *string* not about the cans
(diaphrams) or the ears. In this analogy, the TLS would sit between the
diaphrams and the strings and be transparent to the users. It is not
about what the users can and cannot do, it is about what someone tapping
the string would be able to do (nothing, because it is still encrypted
at that point).

If you want to keep your data secure from the people that you have
trusted with the session keys, you should encrypt the data itself before
sending it to the TLS.

I won't be responding to any further posts by this troll until he learns
not to crosspost. :o)

Though I am pleasantly surprised he included the security group this
time, he usually tries to pick groups where he has a chance to look
superior on a given subject even though he obviously lacks clue.




Re: Anybody know how https *really* works? I didn't think so

wrote:
Quoted text here. Click to load it

That last part makes no sense, kind of like you in real life.

If you trust somebody with session keys, why would you want to keep
your data secure from them?  Again, see my reply just now to unruh.

Either the passage is trivial (unruh's interpretation, and for now I
have to agree with him), or, there's more going on that none of us is
aware of.  That's also a possibility, as I've seen this language in a
textbook.  Unless the textbook author was merely parroting the unclear
language from Microsoft, which I guess is possible too.

RL

Re: Anybody know how https *really* works? I didn't think so


Quoted text here. Click to load it

Good point.  The passage is unclear--it implies that the SOAP
intermediary is an 'exception' to https being secure, akin to a Cross-
site scripting (XSS) attack.  But in fact, if your interpretation is
correct, it's not really an exception.

Quoted text here. Click to load it

Very logical, and it works to explain the passage, except for the fact
it makes the passage trivial.  If all Microsoft is saying (and not
just Microsoft--I've seen similar language in a book on WCF by
Resnick, an authority on WCF) is that 'when you send an SSL / TLS
secured message to a SOAP intermediary, since SSL / TLS is only good
for transport and not for the endpoints, don't forget that you must
decrypt the message at the SOAP intermediary', well, this is very
true, but trivial.  How is that an exception to https being secure?
An exception like XSS attacks?  I think there might be more going on
that nobody in this thread is aware of, but for the time being I guess
we have to settle for your answer.

Thanks for the reply.

RL

Re: Anybody know how https *really* works? I didn't think so

On Sun, 7 Nov 2010 15:44:43 -0800 (PST), RayLopez99

Quoted text here. Click to load it
It makes absolute sense! Intermediate tiers need to decrypt the
envelope. If the letter does not have additional encryption its
contents will be decrypted when the envelope is encrypted.

If the letter is encrypted before it goes in the envelope, the letter
will remain encrypted when an intermediate tier decrypts the envelope.

Quoted text here. Click to load it
You are confusing authentication and authorization. Reading about
roles and memberships may provide some insights.

Quoted text here. Click to load it

The problem is something doesn't work the way you expect. This has
occurred before.

regards
A.G.

Re: Anybody know how https *really* works? I didn't think so

On Mon, 08 Nov 2010 15:46:52 -0500, Registered User wrote:

Quoted text here. Click to load it

Yeah, I remember when Ray was trolling the fitness and weights
newsgroups and BBs trying to get medical advice on why his one of his
nuts hurt. He refused to admit to what was an obvious fact to all of
us that was when you whack-off 6-10x/day, and are RHanded, chances are
your going to have a sore right testicle. lol

True story btw.

https://secure.wikimedia.org/wikipedia/en/wiki/User:Raylopez99
--
My Medline articles - http://tinyurl.com/34r38aq

Re: Anybody know how https *really* works? I didn't think so


Quoted text here. Click to load it

Somebody named Ari Silverstein is really pissed at you using his name
here, shithead.

Turns out I sprained by back--nerves from the back cross at your nuts,
doc said.  A real doctor, not a pretend one like you, wacko.

Quoted text here. Click to load it

"Post-traumatic middle cerebral artery occlusion.
S A Hollin, M H Sukoff, A Silverstein, S W Gross " (Talk about an
obscure article--I guess if you pick an obscure enough subject, nobody
will bother challenging your findings)

Sukoff?  Gross?  Your co-authors are named Suk-off and Gross?  Fitting
for a fake jew doctor like you.  Like I said, the real Dr. Silverstein
is going to come after your sorry ass for disparaging his name.

RL

Re: Anybody know how https *really* works? I didn't think so

Quoted text here. Click to load it

Your profile suggests that you work in the agricultural industry.  If
those who work in the agricultural industry knew that you're giving
them a bad name, I'm sure they wouldn't hesitate to toss you into the
corn feeder a second time.

Re: Anybody know how https *really* works? I didn't think so

On 10/28/2010 10:04 PM, idbeholda wrote:
Quoted text here. Click to load it

Around these parts, wood chippers are real popular.

You can rent them at Home Depot.

Notan

Re: Anybody know how https *really* works? I didn't think so

On Thu, 28 Oct 2010 15:47:35 -0700 (PDT), RayLopez99 wrote:

Quoted text here. Click to load it

What book?

Quoted text here. Click to load it

Where?
 
Quoted text here. Click to load it

*roflmao*

--
"The Toast of Buffalo! = http://tinyurl.com/2v9sjf9
Ari himself, with his unerring sense of what is hip, contributed a box
of doughnuts
from Famous Doughnuts, a company he owns."

Site Timeline