Solved

SSL

Posted on 2004-04-17
7
273 Views
Last Modified: 2010-04-11
Hi;

I am wondering : when a browser links to a secure service, (HTTPS for eg), how is it that connection secure, if I dont have a digital certificate on the machine from where I run the browser?

I'd also like to know when making such a connection, or even indeed one where I would have a certificate as well, at what stage is the connection actually secure - I mean presumably there has to be an initial log-in routine during which part of the time at least, there is no security - or am I mistaken?
0
Comment
Question by:krakatoa
7 Comments
 
LVL 86

Assisted Solution

by:CEHJ
CEHJ earned 50 total points
Comment Utility
As a preliminary, the following may be illuminating. Probably start reading from "Here's how SSL handshaking works:"

http://www.networkmagazine.com/article/NMG20021203S0012
0
 
LVL 8

Assisted Solution

by:RLGSC
RLGSC earned 50 total points
Comment Utility
Krakatoa,

I don't have the details of the SSL handshake in my head at the moment (and I just woke up, and haven't had my coffee). However, remember that the browser does indeed have a root for the trust, the certificates from the well-known Certificate Authorities that are the "signers" of the X.509 certificates from the different www sites.

In general, the www servers cannot authenticate you (without a username/password), but your system can identify them by verifying the integrity of their certificate (from information provided by the well-known Certificate Authorities; in some cases, organizations have established their own internal Certificate Authorities, which makes the process a multi-step walk up the hierarchy until you reach a well-known CA.

The certificates are also only good for a particular DNS name.

For the full details of the SSL protocol, the best source that I can think of is either:

  - a good textbook (from your local bookstore or college bookstore)
  - the appropriate RFC governing SSL (see WWW.IETF.ORG)
  - a magazine article (such as the one cited by CEHJ); I will admit that this is not my preference, I prefer the actual RFC
    (although they are admittedly harder to read, a well written text is generally more authoritative and more complete than
    an article).

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
All modern browsers have certificates built in....
For example, the version of IE 6 I'm using uses a built-in RSA certificate.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 16

Author Comment

by:krakatoa
Comment Utility
>> All modern browsers ...

I looked at mine, and can see only in Help About that it says cipher strength, 128 bit.  Is that it, or is there some other evidence that encryption is running? Why does anyone need a digital certificate then if encryption is built in?

>>  ... the browser does indeed have a root for the trust,  ...

don't really understand that. How do I substantiate that, and what does it mean, "a root for the trust"?

Had a look at the networkmagazine material, and there again I see that there is a pre master secret exchange. I'd really have liked the author to have spelt out plainly whether there is *any* exchange between (secure) server and client which is not secured from the word go.

This last point, plus the relevance of a certificate anyway, remain my two areas of ignorance. ;)
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 50 total points
Comment Utility
Ooops...  I meant that browsers have ciphers built in, not certificates.  Silly me.
A better description is at the MS site:

http://support.microsoft.com:80/support/kb/articles/Q257/5/91.ASP&NoWebContent=1



0
 

Accepted Solution

by:
Lamcor earned 50 total points
Comment Utility
Hello. I wont make this too long.


"There's allways security" ;)


 Understanding how SSL (Secure Socket Layer) provides transmission protection...

 Little History:

 - Netscape designed the SSL protocol to provide encryption, message integrity, server
authentication for TCP/IP. They made it a public service (nonproprietary protocol) and
submited SSL to the W3C for consideration as a standard security approach for the browsers
and servers on the internet.

 - The SSL protocol requires an SSL enable server and browser to do the connection, both
Internet Explorer and of course Netscape support this (many others too).

 - The SSL-supported server authentication uses RSA public-key cryptography, with a
certificate publishing authority (like Verisign) for server authentication. Whenever u are
connected to a secure server (any secure server), u can view the server's certificate.

 The Actual Thing:

 Ok, when a browser tries to connect to a secure server, it sends the server a message, it's
public key (this is a key generated uniquely when u install the browser in your computer).
 
 The server receives then the public key. If the browser supports any kind of encryption
that the server has to offer, the server will sends back a encrypted responce with the
browser's public key and it will also include the server's own public key.
 
 So far the server knows the public key of the browser and the browser knows the public key
of the server.  
 
 After the browser receives the server response, the browser sends another request to the
server. This time, the browser encrypts the message to the server with the server's public
key, now that the browser knows the key. In addition, the browser's instructs the server to
send to the browser the session key (not the public key) that both will use to communicate.

The server sends back the session key (encrypted with the browser's public key).

 After the browser receives the encrypted session key, the browser then proceeds with it's
remaining request.


 How to Know when u are Transmitting with a Secure Connection:

 If the URL your trying to access begins with https:// instead of http://, then its from a
secure server.

 Also u can see an icon in the lower bar of your browser, a key in Netscape, or a padlock in
Internet Explorer.

 There are security warnings that come up when trying to access a secure server, mostly when
sending information like credit card numbers and so.

 To see whether u have SSL enable or disable on Internet Explorer, start your browser and go
to: Tools/Internet Options/Advance Options... there should be a Box that indicates if it's
on orrrrr off. (maybe you will have both SSL2.0 and SSL3.0).

                                                                                               Hoped it Helped.


                                                                          Lamcor
0
 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
8-)
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now