Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

SSL

Hi;

I am wondering : when a browser links to a secure service, (HTTPS for eg), how is it that connection secure, if I dont have a digital certificate on the machine from where I run the browser?

I'd also like to know when making such a connection, or even indeed one where I would have a certificate as well, at what stage is the connection actually secure - I mean presumably there has to be an initial log-in routine during which part of the time at least, there is no security - or am I mistaken?
0
krakatoa
Asked:
krakatoa
4 Solutions
 
CEHJCommented:
As a preliminary, the following may be illuminating. Probably start reading from "Here's how SSL handshaking works:"

http://www.networkmagazine.com/article/NMG20021203S0012
0
 
RLGSCCommented:
Krakatoa,

I don't have the details of the SSL handshake in my head at the moment (and I just woke up, and haven't had my coffee). However, remember that the browser does indeed have a root for the trust, the certificates from the well-known Certificate Authorities that are the "signers" of the X.509 certificates from the different www sites.

In general, the www servers cannot authenticate you (without a username/password), but your system can identify them by verifying the integrity of their certificate (from information provided by the well-known Certificate Authorities; in some cases, organizations have established their own internal Certificate Authorities, which makes the process a multi-step walk up the hierarchy until you reach a well-known CA.

The certificates are also only good for a particular DNS name.

For the full details of the SSL protocol, the best source that I can think of is either:

  - a good textbook (from your local bookstore or college bookstore)
  - the appropriate RFC governing SSL (see WWW.IETF.ORG)
  - a magazine article (such as the one cited by CEHJ); I will admit that this is not my preference, I prefer the actual RFC
    (although they are admittedly harder to read, a well written text is generally more authoritative and more complete than
    an article).

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
Tim HolmanCommented:
All modern browsers have certificates built in....
For example, the version of IE 6 I'm using uses a built-in RSA certificate.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
krakatoaAuthor Commented:
>> All modern browsers ...

I looked at mine, and can see only in Help About that it says cipher strength, 128 bit.  Is that it, or is there some other evidence that encryption is running? Why does anyone need a digital certificate then if encryption is built in?

>>  ... the browser does indeed have a root for the trust,  ...

don't really understand that. How do I substantiate that, and what does it mean, "a root for the trust"?

Had a look at the networkmagazine material, and there again I see that there is a pre master secret exchange. I'd really have liked the author to have spelt out plainly whether there is *any* exchange between (secure) server and client which is not secured from the word go.

This last point, plus the relevance of a certificate anyway, remain my two areas of ignorance. ;)
0
 
Tim HolmanCommented:
Ooops...  I meant that browsers have ciphers built in, not certificates.  Silly me.
A better description is at the MS site:

http://support.microsoft.com:80/support/kb/articles/Q257/5/91.ASP&NoWebContent=1



0
 
LamcorCommented:
Hello. I wont make this too long.


"There's allways security" ;)


 Understanding how SSL (Secure Socket Layer) provides transmission protection...

 Little History:

 - Netscape designed the SSL protocol to provide encryption, message integrity, server
authentication for TCP/IP. They made it a public service (nonproprietary protocol) and
submited SSL to the W3C for consideration as a standard security approach for the browsers
and servers on the internet.

 - The SSL protocol requires an SSL enable server and browser to do the connection, both
Internet Explorer and of course Netscape support this (many others too).

 - The SSL-supported server authentication uses RSA public-key cryptography, with a
certificate publishing authority (like Verisign) for server authentication. Whenever u are
connected to a secure server (any secure server), u can view the server's certificate.

 The Actual Thing:

 Ok, when a browser tries to connect to a secure server, it sends the server a message, it's
public key (this is a key generated uniquely when u install the browser in your computer).
 
 The server receives then the public key. If the browser supports any kind of encryption
that the server has to offer, the server will sends back a encrypted responce with the
browser's public key and it will also include the server's own public key.
 
 So far the server knows the public key of the browser and the browser knows the public key
of the server.  
 
 After the browser receives the server response, the browser sends another request to the
server. This time, the browser encrypts the message to the server with the server's public
key, now that the browser knows the key. In addition, the browser's instructs the server to
send to the browser the session key (not the public key) that both will use to communicate.

The server sends back the session key (encrypted with the browser's public key).

 After the browser receives the encrypted session key, the browser then proceeds with it's
remaining request.


 How to Know when u are Transmitting with a Secure Connection:

 If the URL your trying to access begins with https:// instead of http://, then its from a
secure server.

 Also u can see an icon in the lower bar of your browser, a key in Netscape, or a padlock in
Internet Explorer.

 There are security warnings that come up when trying to access a secure server, mostly when
sending information like credit card numbers and so.

 To see whether u have SSL enable or disable on Internet Explorer, start your browser and go
to: Tools/Internet Options/Advance Options... there should be a Box that indicates if it's
on orrrrr off. (maybe you will have both SSL2.0 and SSL3.0).

                                                                                               Hoped it Helped.


                                                                          Lamcor
0
 
CEHJCommented:
8-)
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now