Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Ssl

  1. #1
    Member
    Join Date
    Jan 2007
    Posts
    117

    Default Ssl

    first off, i did a search for SSL got 0 returns. im learning about SSL in class right now and i dont quite get how someone would not be able to sniff the traffic and at the very least figure out what was sent afterwards by cracking the session key? lets say someone goes to newegg and buys something, and someone was sniffing the traffic the whole time. since the public key is obviously public, what keeps the sniffer from comparing the session key that was created from buying something to the public key and figuring out what was sent?

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    vBulletin doesn't allow searching on short words like "SSL" or "USB", etc. Instead goto google and hit the Advanced Search link, put SSL in as your "all these words" value and "Search within site or domain" should be forums.remote-exploit.org

    Yes if you can sniff the entire conversation between a client and a server you can later decrypt all the traffic.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Instead of searching the acronym you could search what it really stands for.

    Secure Sockets Layer = SSL
    Universal Serial Bus = USB
    etc...

    Google probably has the best answers about SSL.

  4. #4
    Member
    Join Date
    Jan 2007
    Posts
    117

    Default

    Quote Originally Posted by thorin View Post
    vBulletin doesn't allow searching on short words like "SSL" or "USB", etc. Instead goto google and hit the Advanced Search link, put SSL in as your "all these words" value and "Search within site or domain" should be forums.remote-exploit.org

    Yes if you can sniff the entire conversation between a client and a server you can later decrypt all the traffic.
    alright thanks. the reason i ask about this is my teacher said that it is impossible to get any information from an SSL transaction. he said its because the private key is only stored on the server and can never leave it, and it is the only key that can only decrypt the information that the public key encrypts. i dunno, i looked it up on how stuff works and didn't get an answer. it just seems like its not as secure as my teacher makes it out to be. if anyone has a link to a good site that explains it i would appreciate it.

  5. #5
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Quote Originally Posted by ats1080 View Post
    alright thanks. the reason i ask about this is my teacher said that it is impossible to get any information from an SSL transaction. he said its because the private key is only stored on the server and can never leave it, and it is the only key that can only decrypt the information that the public key encrypts. i dunno, i looked it up on how stuff works and didn't get an answer. it just seems like its not as secure as my teacher makes it out to be. if anyone has a link to a good site that explains it i would appreciate it.
    MITM attack and you feed them a fake certificate. Assuming the user doesn't investigate your fake certificate you should be able to get everything.

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    My earlier post made it seem like SSL had holes you can drive a mac truck through, this isn't the case, decrypting SSL still requires you to have specific access to different components of the picture (i.e.: to be able to arp poison the network and conduct MITM attacks, access to server key files, access to switches or network devices so you can create a span port or install a Ethernet tap, etc.)

    However, stating that it's "impossible" to accomplish is just WRONG. Perhaps IMPROBABLE and in many cases IMPRACTICAL but NOT impossible.

    Then there's also the fact that lots of web sites still allow weak SSLv2 connections and old weak ciphers like DES3. DES3 can be broken in days (maybe even less) on modern hardware.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Member
    Join Date
    Jan 2007
    Posts
    117

    Default

    ok, a little bit of a follow up. i talked to my teacher about it and the i know now how it works. however, im still not sure how when you encrypt something with the public key, why cant you decrypt with the public key? my teacher said its because of how its mathematically set up (hes not really sure), but i cant really grasp how you can encrypt something with a key, but not be able to unencrypt it.

  8. #8
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Because they use a private key also. They use CA's Certificate Authorities to exchange the keys. This is what verisign is! I'm sure there's other companies that do the same thing. You should really take a look at cryptography if you want to learn this in more detail. There's a book I read a long time ago i think its called applied cryptography that should give you a good idea how it works.

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    At it's most basic it has to do with the fact that given two pieces of information it is easy to calculate a huge numer but given a huge numbers it's difficult to come up with the original two factors. Public Key Crypto depends on computers having a hard time factoring huge numbers. Again not IMPOSSIBLE but computationally difficult enough to make it impracticle.

    Try searching/google'ing things like "one way hash" or "one way function".

    Here's one good reference:
    http://en.wikipedia.org/wiki/Public-key_cryptography

    I'm not a mathemetician so I can't explain it to you much better than that.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    Junior Member
    Join Date
    Apr 2007
    Posts
    57

    Default

    Slightly OT, but another way to bypass SSL would be "side jacking", Cookie stealing.

    I guess it depends on what you want to do. If you are purley interested in SSL and its function or ways to defeat it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •