Ssl
first off, i did a search for SSL got 0 returns. im learning about SSL in class right now and i dont quite get how someone would not be able to sniff the traffic and at the very least figure out what was sent afterwards by cracking the session key? lets say someone goes to newegg and buys something, and someone was sniffing the traffic the whole time. since the public key is obviously public, what keeps the sniffer from comparing the session key that was created from buying something to the public key and figuring out what was sent?
vBulletin doesn't allow searching on short words like "SSL" or "USB", etc. Instead goto google and hit the Advanced Search link, put SSL in as your "all these words" value and "Search within site or domain" should be forums.remote-exploit.org
Yes if you can sniff the entire conversation between a client and a server you can later decrypt all the traffic.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Instead of searching the acronym you could search what it really stands for.
Secure Sockets Layer = SSL
Universal Serial Bus = USB
etc...
Google probably has the best answers about SSL.
alright thanks. the reason i ask about this is my teacher said that it is impossible to get any information from an SSL transaction. he said its because the private key is only stored on the server and can never leave it, and it is the only key that can only decrypt the information that the public key encrypts. i dunno, i looked it up on how stuff works and didn't get an answer. it just seems like its not as secure as my teacher makes it out to be. if anyone has a link to a good site that explains it i would appreciate it.Originally Posted by thorin
MITM attack and you feed them a fake certificate. Assuming the user doesn't investigate your fake certificate you should be able to get everything.
My earlier post made it seem like SSL had holes you can drive a mac truck through, this isn't the case, decrypting SSL still requires you to have specific access to different components of the picture (i.e.: to be able to arp poison the network and conduct MITM attacks, access to server key files, access to switches or network devices so you can create a span port or install a Ethernet tap, etc.)
However, stating that it's "impossible" to accomplish is just WRONG. Perhaps IMPROBABLE and in many cases IMPRACTICAL but NOT impossible.
Then there's also the fact that lots of web sites still allow weak SSLv2 connections and old weak ciphers like DES3. DES3 can be broken in days (maybe even less) on modern hardware.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
ok, a little bit of a follow up. i talked to my teacher about it and the i know now how it works. however, im still not sure how when you encrypt something with the public key, why cant you decrypt with the public key? my teacher said its because of how its mathematically set up (hes not really sure), but i cant really grasp how you can encrypt something with a key, but not be able to unencrypt it.
Because they use a private key also. They use CA's Certificate Authorities to exchange the keys. This is what verisign is! I'm sure there's other companies that do the same thing. You should really take a look at cryptography if you want to learn this in more detail. There's a book I read a long time ago i think its called applied cryptography that should give you a good idea how it works.
At it's most basic it has to do with the fact that given two pieces of information it is easy to calculate a huge numer but given a huge numbers it's difficult to come up with the original two factors. Public Key Crypto depends on computers having a hard time factoring huge numbers. Again not IMPOSSIBLE but computationally difficult enough to make it impracticle.
Try searching/google'ing things like "one way hash" or "one way function".
Here's one good reference:
http://en.wikipedia.org/wiki/Public-key_cryptography
I'm not a mathemetician so I can't explain it to you much better than that.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Slightly OT, but another way to bypass SSL would be "side jacking", Cookie stealing.
I guess it depends on what you want to do. If you are purley interested in SSL and its function or ways to defeat it.
Posting Permissions
