Solved

SSL

Posted on 2004-04-17
7
276 Views
Last Modified: 2010-04-11
Hi;

I am wondering : when a browser links to a secure service, (HTTPS for eg), how is it that connection secure, if I dont have a digital certificate on the machine from where I run the browser?

I'd also like to know when making such a connection, or even indeed one where I would have a certificate as well, at what stage is the connection actually secure - I mean presumably there has to be an initial log-in routine during which part of the time at least, there is no security - or am I mistaken?
0
Comment
Question by:krakatoa
7 Comments
 
LVL 86

Assisted Solution

by:CEHJ
CEHJ earned 50 total points
ID: 10848878
As a preliminary, the following may be illuminating. Probably start reading from "Here's how SSL handshaking works:"

http://www.networkmagazine.com/article/NMG20021203S0012
0
 
LVL 8

Assisted Solution

by:RLGSC
RLGSC earned 50 total points
ID: 10849200
Krakatoa,

I don't have the details of the SSL handshake in my head at the moment (and I just woke up, and haven't had my coffee). However, remember that the browser does indeed have a root for the trust, the certificates from the well-known Certificate Authorities that are the "signers" of the X.509 certificates from the different www sites.

In general, the www servers cannot authenticate you (without a username/password), but your system can identify them by verifying the integrity of their certificate (from information provided by the well-known Certificate Authorities; in some cases, organizations have established their own internal Certificate Authorities, which makes the process a multi-step walk up the hierarchy until you reach a well-known CA.

The certificates are also only good for a particular DNS name.

For the full details of the SSL protocol, the best source that I can think of is either:

  - a good textbook (from your local bookstore or college bookstore)
  - the appropriate RFC governing SSL (see WWW.IETF.ORG)
  - a magazine article (such as the one cited by CEHJ); I will admit that this is not my preference, I prefer the actual RFC
    (although they are admittedly harder to read, a well written text is generally more authoritative and more complete than
    an article).

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10849361
All modern browsers have certificates built in....
For example, the version of IE 6 I'm using uses a built-in RSA certificate.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 16

Author Comment

by:krakatoa
ID: 10850226
>> All modern browsers ...

I looked at mine, and can see only in Help About that it says cipher strength, 128 bit.  Is that it, or is there some other evidence that encryption is running? Why does anyone need a digital certificate then if encryption is built in?

>>  ... the browser does indeed have a root for the trust,  ...

don't really understand that. How do I substantiate that, and what does it mean, "a root for the trust"?

Had a look at the networkmagazine material, and there again I see that there is a pre master secret exchange. I'd really have liked the author to have spelt out plainly whether there is *any* exchange between (secure) server and client which is not secured from the word go.

This last point, plus the relevance of a certificate anyway, remain my two areas of ignorance. ;)
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 50 total points
ID: 10850421
Ooops...  I meant that browsers have ciphers built in, not certificates.  Silly me.
A better description is at the MS site:

http://support.microsoft.com:80/support/kb/articles/Q257/5/91.ASP&NoWebContent=1



0
 

Accepted Solution

by:
Lamcor earned 50 total points
ID: 10871253
Hello. I wont make this too long.


"There's allways security" ;)


 Understanding how SSL (Secure Socket Layer) provides transmission protection...

 Little History:

 - Netscape designed the SSL protocol to provide encryption, message integrity, server
authentication for TCP/IP. They made it a public service (nonproprietary protocol) and
submited SSL to the W3C for consideration as a standard security approach for the browsers
and servers on the internet.

 - The SSL protocol requires an SSL enable server and browser to do the connection, both
Internet Explorer and of course Netscape support this (many others too).

 - The SSL-supported server authentication uses RSA public-key cryptography, with a
certificate publishing authority (like Verisign) for server authentication. Whenever u are
connected to a secure server (any secure server), u can view the server's certificate.

 The Actual Thing:

 Ok, when a browser tries to connect to a secure server, it sends the server a message, it's
public key (this is a key generated uniquely when u install the browser in your computer).
 
 The server receives then the public key. If the browser supports any kind of encryption
that the server has to offer, the server will sends back a encrypted responce with the
browser's public key and it will also include the server's own public key.
 
 So far the server knows the public key of the browser and the browser knows the public key
of the server.  
 
 After the browser receives the server response, the browser sends another request to the
server. This time, the browser encrypts the message to the server with the server's public
key, now that the browser knows the key. In addition, the browser's instructs the server to
send to the browser the session key (not the public key) that both will use to communicate.

The server sends back the session key (encrypted with the browser's public key).

 After the browser receives the encrypted session key, the browser then proceeds with it's
remaining request.


 How to Know when u are Transmitting with a Secure Connection:

 If the URL your trying to access begins with https:// instead of http://, then its from a
secure server.

 Also u can see an icon in the lower bar of your browser, a key in Netscape, or a padlock in
Internet Explorer.

 There are security warnings that come up when trying to access a secure server, mostly when
sending information like credit card numbers and so.

 To see whether u have SSL enable or disable on Internet Explorer, start your browser and go
to: Tools/Internet Options/Advance Options... there should be a Box that indicates if it's
on orrrrr off. (maybe you will have both SSL2.0 and SSL3.0).

                                                                                               Hoped it Helped.


                                                                          Lamcor
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10917277
8-)
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question