Amiga.org
Amiga computer related discussion => Amiga Software Issues and Discussion => Topic started by: Jose on July 11, 2007, 04:03:12 PM
-
Thought this would be interesting for others too. Not being a network guru (though I've already read the IP protocol rfc;)) I was wondering what protocol do browsers/webservers use when a requester pops up saying we are using a secure connection. Like when using Paypal. And how secure is it really ? What about if you're connecting through one of those wifi AP's someone set up (talking about intentional internet sharing here, not stealing;)) won't he be able to spy on all the data that goes through the server (same applies to ISPs ?) I mean, even if the thing is encrypted he'll be able to view the initialization process so I don't get it how a connection can really be secure for the user, at least on the provider side.
-
Start here:
http://en.wikipedia.org/wiki/Https
http://en.wikipedia.org/wiki/Secure_Sockets_Layer
In order to generate the session keys used for the secure connection, the browser uses the server public key from the certificate to encrypt a random number and send it to the server. Only the server can decrypt it (with its private key): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data.
If HTTPS weren't secure for use through an AP it would be equally insecure for use through every other equally untrusted path on the internet.
Attacking the encryption involved is computationally expensive and not ordinarily worthwhile when the "secure" site's systems can be compromised directly (password attacks, SQL holes, idiots sharing customer_data.xls on an open WebDAV share, grabbing an unencrypted backup off the Iron Mountain truck), yielding entire databases at once.
You might want to be concerned if you're hiding from or working for the NSA.
-
http://en.wikipedia.org/wiki/Transport_Layer_Security
It is secure.
-
Nice! I'll have to digest the info a bit before actually understanding it though...:)
-
Jose wrote:
What about if you're connecting through one of those wifi AP's someone set up (talking about intentional internet sharing here, not stealing;)) won't he be able to spy on all the data that goes through the server (same applies to ISPs ?) I mean, even if the thing is encrypted he'll be able to view the initialization process so I don't get it how a connection can really be secure for the user, at least on the provider side.
wireless is extremely vulnerable to man in the middle attacks...but if you've got encryption like SSL then your data is absolutely secure
-
I am a network engineer... Here is the down low on SSL or Secure Socket Layer encryption. SSL has its own TCP port 443. SSL is commonly used with HTTPS protocol. TCP is a session oriented protocol, meaning that the client and the server establish a session before communication takes place. What SSL does is setup an encryption algorithm for that session based on a security certificate, if you don't have the correct algorithm you cannot transmit data to that session. Can it be hacked yes, just like anything it just takes along time. Security is finite not infinite so all security can be cracked given an appropriate amount of time and the appropraite resources to do so. But it creates enough of a stumbling block that 90% of the people trying to crack it, give up before they can or do not have the resources or knowledge to do so. Think of it as a safe, I can break into a safe but if the walls are 20 foot thick, I may have to risk myself and have significant resources to do so. Hope that makes sense to you... Feel free to ask questions.
-
Yes, SSL is secure. The weak point is not the protocol but the user--ie, if some hacker obtains your Paypal password through a trojan, phishing scheme, or whatever means, his access to your account will be just as secure as yours. Making sure your computer is malware free and avoiding using computers that you're not sure about for anything but casual surfing and never clicking on direct links in emails will help out a lot on the user end of the equation.
-
Floid wrote:
idiots sharing customer_data.xls on an open WebDAV share
Heh! Are people/companies really that stupid??! :lol:
- Ali
-
All seems pretty straightforward, still a doubt poped up about when using wireless but logged in here today and you guys have already answered that:)
So as I see it, I don't care if anyone spies on the sites that I visit when using wireless connection, cause the ones with sensitive information are encrypted.
-
Kind of makes using a more uncommon platform a very good choice when it comes to security doesn't it.. :-)
-
@trip6
Just to put your statement into scale: to break into a safe w/ 20 feet walls, you need what? a month?
To break an AES-256 key using every piece of hardware on this planet, you'd need several times longer than the current age of the universe (actually you're not even beginning to get to the same scale here), using much, much more power than the universe has got - and yes, I have converted all matter to energy for that purpose...
So, with today's technology you can safely assume AES-256 or RC5-256 (or even 128 bit keys) to be secure. This may rapidly change once reasonably sized quantum computers become available, but that'll take a bit.
PS: The still commonly used RC4 encryption has some weaknesses (e.g. in WEP), so it must be carefully implemented and use appropriate key lengths. E.g. WPA can still be considered secure whereas WEP is highly compromised. WPA2 (optionally) uses AES, so it's the best choice for wireless LAN encryption.
-
@Jose
Here's an article you might find interesting, too:
Secure programming with the OpenSSL API, Part 2: Secure handshake (http://www-128.ibm.com/developerworks/linux/library/l-openssl2.html?ca=dgr-lnxw06SecureHandshake)
-
"Here's an article you might find interesting, too: ..."
Very :-)
-
InTheSand wrote:
Floid wrote:
idiots sharing customer_data.xls on an open WebDAV share
Heh! Are people/companies really that stupid??! :lol:
- Ali
YES!
:roll: :shocked:
-
Jose wrote:
All seems pretty straightforward, still a doubt poped up about when using wireless but logged in here today and you guys have already answered that:)
So as I see it, I don't care if anyone spies on the sites that I visit when using wireless connection, cause the ones with sensitive information are encrypted.
Wireless routers can be set up with WPA encryption for an additional layer of security.
-
An if using wireless, you can also use mac address filter lists to filter clients with only specific mac addresses to gain access to the wireless connection.
But just as any security, mac addresses can be spoofed. That is why security is a layered approach and why others have recommended WPA for wireless too... So mac address list, WPA or EAP or LEAP and your about as secure as you can get on a wireless connection...
To the guy who was referring to AES-256, it is pretty darn secure but was and has been cracked already in penetrative testing by the DOD electronic warfare guys in about a 3 month time frame. The current highest level of security available is rumored to be a 2048-bit tumbling key standard created by the DOD that has yet to be cracked. No one in the public has seen it, and it may not become a public standard ever...
Nuff said...
-
Saw an article by accident that kind of contradicts things that have been said here...
HERE (http://star-techcentral.com/tech/story.asp?file=/2005/2/8/technology/10121212&sec=technology)
To my understanding of what has been posted here and the links you posted https encrypts the data so even if one set up a twin tower without WPA the server would never be able to get it.
But the guy seems to have some authority on the matter ... :-?
-
Jose wrote:
Saw an article by accident that kind of contradicts things that have been said here...
HERE (http://star-techcentral.com/tech/story.asp?file=/2005/2/8/technology/10121212&sec=technology)
To my understanding of what has been posted here and the links you posted https encrypts the data so even if one set up a twin tower without WPA the server would never be able to get it.
But the guy seems to have some authority on the matter ... :-?
Journalists are often idiots, unfortunately.
A rogue AP is potentially a man-in-the-middle, and connecting to one lets its operator view traffic not otherwise encrypted -- that is to say, TCP/IP never gave you any security on its lonesome, and WEP or WPA only gives you some measure of link-layer security to create a trusted path between yourself and the AP you're using. If you end up trusting the wrong guy, that's 'your problem.'
Again quoting Wikipedia, just because the author put it eloquently:
TLS runs on layers beneath application protocols such as HTTP, FTP, SMTP, NNTP, and XMPP and above a reliable transport protocol, TCP for example.
When you bend the OSI model to the real world, TLS is technically on the 'application layer' with everything else that rides atop TCP atop IP.
So... if you're actually connecting to your bank over TLS, you're pretty much fine no matter what link you use, that's the point of the protocol. However, a man in the middle could:
* Set up a man-in-the-middle attack that proxies TLS both ways; this would probably require you to be stupid and trust his certificate, which your browser will warn and complain about. At least, unless you or some monkey in the IT department disabled the warning because it was 'getting annoying' when working with machines with self-signed certificates. (Right process: Add certificate to browser. Wrong process: Trusting every machine to trust one machine.)
* Set up an AP down the street from a coffee shop that has users pay through their browsers for access, copying the appearance of their login and payment pages, probably just implementing it with no encryption so harried users won't see any obvious warnings. Of course, unlike the coffee shop's system, there's no reason to provide service after the details are phished, but a smart attacker could then route things through a single paid login via the real AP to avoid detection. Cheap price for him to pay, especially if he's paying with someone else's CC.
Neither of those compromise encryption, though both do attack weaknesses in the human ability to understand and remain aware of authentication protocols.
Here's an example of a fairly clever attack which has nothing to do with wireless:
http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html
This 'worked' because the offending script was legitimately served by PayPal over TLS, probably embedded in the attacker's username or address string or somesuch. Note that the redirect for the actual attack pointed to a different server, so the URL would be a tipoff -- generally attackers mask these with a few thousand bytes of garbage arguments similar to the real ones PayPal or eBay use during a session.
"Users need to be wary of not using their WiFi enabled laptops or other portable devices in order to conduct financial transactions or anything that is of a sensitive personal nature, for fear of having disclosed this information to an unauthorised third party"?
No, users need to be wary of feeding sensitive details into any system where they don't understand how to authenticate the receiving party and security of the path.
---
Can I have $0.75 for this response? I'm supposed to be working and I've got no change for the soda machine. :-(
-
vk3heg wrote:
InTheSand wrote:
Floid wrote:
idiots sharing customer_data.xls on an open WebDAV share
Heh! Are people/companies really that stupid??! :lol:
- Ali
YES!
:roll: :shocked:
This is what's known as a 'Google attack.'
-
trip6 wrote:
But just as any security, mac addresses can be spoofed. That is why security is a layered approach and why others have recommended WPA for wireless too... So mac address list, WPA or EAP or LEAP and your about as secure as you can get on a wireless connection...
As long as you're happy to connect to anyone who solves for the WPA-PSK PMK and spoofs the MAC address, apparently.
I think you meant 'and EAP...,' at least, but all this link-layer security is mostly flawed compared to end-to-end. Even if any technique actually granted 'Wired-Equivalent Privacy,' the only security your wire had was your door lock.
-
trip6 wrote:
To the guy who was referring to AES-256, it is pretty darn secure but was and has been cracked already in penetrative testing by the DOD electronic warfare guys in about a 3 month time frame.
DOH - you got any details/link to that? Or is it only rumour? The only known methods of attack (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security) can hardly be regarded as 'cracked'.
-
Excellent replies, that clarifies it. I'm starting to like this networking thing... :-D