Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SSL

Posted on 2004-04-17
7
Medium Priority
?
283 Views
Last Modified: 2010-04-11
Hi;

I am wondering : when a browser links to a secure service, (HTTPS for eg), how is it that connection secure, if I dont have a digital certificate on the machine from where I run the browser?

I'd also like to know when making such a connection, or even indeed one where I would have a certificate as well, at what stage is the connection actually secure - I mean presumably there has to be an initial log-in routine during which part of the time at least, there is no security - or am I mistaken?
0
Comment
Question by:krakatoa
7 Comments
 
LVL 86

Assisted Solution

by:CEHJ
CEHJ earned 200 total points
ID: 10848878
As a preliminary, the following may be illuminating. Probably start reading from "Here's how SSL handshaking works:"

http://www.networkmagazine.com/article/NMG20021203S0012
0
 
LVL 8

Assisted Solution

by:RLGSC
RLGSC earned 200 total points
ID: 10849200
Krakatoa,

I don't have the details of the SSL handshake in my head at the moment (and I just woke up, and haven't had my coffee). However, remember that the browser does indeed have a root for the trust, the certificates from the well-known Certificate Authorities that are the "signers" of the X.509 certificates from the different www sites.

In general, the www servers cannot authenticate you (without a username/password), but your system can identify them by verifying the integrity of their certificate (from information provided by the well-known Certificate Authorities; in some cases, organizations have established their own internal Certificate Authorities, which makes the process a multi-step walk up the hierarchy until you reach a well-known CA.

The certificates are also only good for a particular DNS name.

For the full details of the SSL protocol, the best source that I can think of is either:

  - a good textbook (from your local bookstore or college bookstore)
  - the appropriate RFC governing SSL (see WWW.IETF.ORG)
  - a magazine article (such as the one cited by CEHJ); I will admit that this is not my preference, I prefer the actual RFC
    (although they are admittedly harder to read, a well written text is generally more authoritative and more complete than
    an article).

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10849361
All modern browsers have certificates built in....
For example, the version of IE 6 I'm using uses a built-in RSA certificate.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 17

Author Comment

by:krakatoa
ID: 10850226
>> All modern browsers ...

I looked at mine, and can see only in Help About that it says cipher strength, 128 bit.  Is that it, or is there some other evidence that encryption is running? Why does anyone need a digital certificate then if encryption is built in?

>>  ... the browser does indeed have a root for the trust,  ...

don't really understand that. How do I substantiate that, and what does it mean, "a root for the trust"?

Had a look at the networkmagazine material, and there again I see that there is a pre master secret exchange. I'd really have liked the author to have spelt out plainly whether there is *any* exchange between (secure) server and client which is not secured from the word go.

This last point, plus the relevance of a certificate anyway, remain my two areas of ignorance. ;)
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 200 total points
ID: 10850421
Ooops...  I meant that browsers have ciphers built in, not certificates.  Silly me.
A better description is at the MS site:

http://support.microsoft.com:80/support/kb/articles/Q257/5/91.ASP&NoWebContent=1



0
 

Accepted Solution

by:
Lamcor earned 200 total points
ID: 10871253
Hello. I wont make this too long.


"There's allways security" ;)


 Understanding how SSL (Secure Socket Layer) provides transmission protection...

 Little History:

 - Netscape designed the SSL protocol to provide encryption, message integrity, server
authentication for TCP/IP. They made it a public service (nonproprietary protocol) and
submited SSL to the W3C for consideration as a standard security approach for the browsers
and servers on the internet.

 - The SSL protocol requires an SSL enable server and browser to do the connection, both
Internet Explorer and of course Netscape support this (many others too).

 - The SSL-supported server authentication uses RSA public-key cryptography, with a
certificate publishing authority (like Verisign) for server authentication. Whenever u are
connected to a secure server (any secure server), u can view the server's certificate.

 The Actual Thing:

 Ok, when a browser tries to connect to a secure server, it sends the server a message, it's
public key (this is a key generated uniquely when u install the browser in your computer).
 
 The server receives then the public key. If the browser supports any kind of encryption
that the server has to offer, the server will sends back a encrypted responce with the
browser's public key and it will also include the server's own public key.
 
 So far the server knows the public key of the browser and the browser knows the public key
of the server.  
 
 After the browser receives the server response, the browser sends another request to the
server. This time, the browser encrypts the message to the server with the server's public
key, now that the browser knows the key. In addition, the browser's instructs the server to
send to the browser the session key (not the public key) that both will use to communicate.

The server sends back the session key (encrypted with the browser's public key).

 After the browser receives the encrypted session key, the browser then proceeds with it's
remaining request.


 How to Know when u are Transmitting with a Secure Connection:

 If the URL your trying to access begins with https:// instead of http://, then its from a
secure server.

 Also u can see an icon in the lower bar of your browser, a key in Netscape, or a padlock in
Internet Explorer.

 There are security warnings that come up when trying to access a secure server, mostly when
sending information like credit card numbers and so.

 To see whether u have SSL enable or disable on Internet Explorer, start your browser and go
to: Tools/Internet Options/Advance Options... there should be a Box that indicates if it's
on orrrrr off. (maybe you will have both SSL2.0 and SSL3.0).

                                                                                               Hoped it Helped.


                                                                          Lamcor
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 10917277
8-)
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question