Solved

SSL

Posted on 2004-04-17
7
279 Views
Last Modified: 2010-04-11
Hi;

I am wondering : when a browser links to a secure service, (HTTPS for eg), how is it that connection secure, if I dont have a digital certificate on the machine from where I run the browser?

I'd also like to know when making such a connection, or even indeed one where I would have a certificate as well, at what stage is the connection actually secure - I mean presumably there has to be an initial log-in routine during which part of the time at least, there is no security - or am I mistaken?
0
Comment
Question by:krakatoa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 86

Assisted Solution

by:CEHJ
CEHJ earned 50 total points
ID: 10848878
As a preliminary, the following may be illuminating. Probably start reading from "Here's how SSL handshaking works:"

http://www.networkmagazine.com/article/NMG20021203S0012
0
 
LVL 8

Assisted Solution

by:RLGSC
RLGSC earned 50 total points
ID: 10849200
Krakatoa,

I don't have the details of the SSL handshake in my head at the moment (and I just woke up, and haven't had my coffee). However, remember that the browser does indeed have a root for the trust, the certificates from the well-known Certificate Authorities that are the "signers" of the X.509 certificates from the different www sites.

In general, the www servers cannot authenticate you (without a username/password), but your system can identify them by verifying the integrity of their certificate (from information provided by the well-known Certificate Authorities; in some cases, organizations have established their own internal Certificate Authorities, which makes the process a multi-step walk up the hierarchy until you reach a well-known CA.

The certificates are also only good for a particular DNS name.

For the full details of the SSL protocol, the best source that I can think of is either:

  - a good textbook (from your local bookstore or college bookstore)
  - the appropriate RFC governing SSL (see WWW.IETF.ORG)
  - a magazine article (such as the one cited by CEHJ); I will admit that this is not my preference, I prefer the actual RFC
    (although they are admittedly harder to read, a well written text is generally more authoritative and more complete than
    an article).

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10849361
All modern browsers have certificates built in....
For example, the version of IE 6 I'm using uses a built-in RSA certificate.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 16

Author Comment

by:krakatoa
ID: 10850226
>> All modern browsers ...

I looked at mine, and can see only in Help About that it says cipher strength, 128 bit.  Is that it, or is there some other evidence that encryption is running? Why does anyone need a digital certificate then if encryption is built in?

>>  ... the browser does indeed have a root for the trust,  ...

don't really understand that. How do I substantiate that, and what does it mean, "a root for the trust"?

Had a look at the networkmagazine material, and there again I see that there is a pre master secret exchange. I'd really have liked the author to have spelt out plainly whether there is *any* exchange between (secure) server and client which is not secured from the word go.

This last point, plus the relevance of a certificate anyway, remain my two areas of ignorance. ;)
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 50 total points
ID: 10850421
Ooops...  I meant that browsers have ciphers built in, not certificates.  Silly me.
A better description is at the MS site:

http://support.microsoft.com:80/support/kb/articles/Q257/5/91.ASP&NoWebContent=1



0
 

Accepted Solution

by:
Lamcor earned 50 total points
ID: 10871253
Hello. I wont make this too long.


"There's allways security" ;)


 Understanding how SSL (Secure Socket Layer) provides transmission protection...

 Little History:

 - Netscape designed the SSL protocol to provide encryption, message integrity, server
authentication for TCP/IP. They made it a public service (nonproprietary protocol) and
submited SSL to the W3C for consideration as a standard security approach for the browsers
and servers on the internet.

 - The SSL protocol requires an SSL enable server and browser to do the connection, both
Internet Explorer and of course Netscape support this (many others too).

 - The SSL-supported server authentication uses RSA public-key cryptography, with a
certificate publishing authority (like Verisign) for server authentication. Whenever u are
connected to a secure server (any secure server), u can view the server's certificate.

 The Actual Thing:

 Ok, when a browser tries to connect to a secure server, it sends the server a message, it's
public key (this is a key generated uniquely when u install the browser in your computer).
 
 The server receives then the public key. If the browser supports any kind of encryption
that the server has to offer, the server will sends back a encrypted responce with the
browser's public key and it will also include the server's own public key.
 
 So far the server knows the public key of the browser and the browser knows the public key
of the server.  
 
 After the browser receives the server response, the browser sends another request to the
server. This time, the browser encrypts the message to the server with the server's public
key, now that the browser knows the key. In addition, the browser's instructs the server to
send to the browser the session key (not the public key) that both will use to communicate.

The server sends back the session key (encrypted with the browser's public key).

 After the browser receives the encrypted session key, the browser then proceeds with it's
remaining request.


 How to Know when u are Transmitting with a Secure Connection:

 If the URL your trying to access begins with https:// instead of http://, then its from a
secure server.

 Also u can see an icon in the lower bar of your browser, a key in Netscape, or a padlock in
Internet Explorer.

 There are security warnings that come up when trying to access a secure server, mostly when
sending information like credit card numbers and so.

 To see whether u have SSL enable or disable on Internet Explorer, start your browser and go
to: Tools/Internet Options/Advance Options... there should be a Box that indicates if it's
on orrrrr off. (maybe you will have both SSL2.0 and SSL3.0).

                                                                                               Hoped it Helped.


                                                                          Lamcor
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10917277
8-)
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question