Secure connections really secure ?

[Jose]

Thought this would be interesting for others too. Not being a network guru (though I've already read the IP protocol rfc;)) I was wondering what protocol do browsers/webservers use when a requester pops up saying we are using a secure connection. Like when using Paypal. And how secure is it really ? What about if you're connecting through one of those wifi AP's someone set up (talking about intentional internet sharing here, not stealing;)) won't he be able to spy on all the data that goes through the server (same applies to ISPs ?) I mean, even if the thing is encrypted he'll be able to view the initialization process so I don't get it how a connection can really be secure for the user, at least on the provider side.

[Floid]

Start here:
http://en.wikipedia.org/wiki/Https
http://en.wikipedia.org/wiki/Secure_Sockets_Layer

In order to generate the session keys used for the secure connection, the browser uses the server public key from the certificate to encrypt a random number and send it to the server. Only the server can decrypt it (with its private key): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data.

If HTTPS weren't secure for use through an AP it would be equally insecure for use through every other equally untrusted path on the internet.

Attacking the encryption involved is computationally expensive and not ordinarily worthwhile when the "secure" site's systems can be compromised directly (password attacks, SQL holes, idiots sharing customer_data.xls on an open WebDAV share, grabbing an unencrypted backup off the Iron Mountain truck), yielding entire databases at once.  

You might want to be concerned if you're hiding from or working for the NSA.

[Piru]

http://en.wikipedia.org/wiki/Transport_Layer_Security

It is secure.

[Jose]

Nice! I'll have to digest the info a bit before actually understanding it though...

[sir_inferno]

Jose wrote:
What about if you're connecting through one of those wifi AP's someone set up (talking about intentional internet sharing here, not stealing;)) won't he be able to spy on all the data that goes through the server (same applies to ISPs ?) I mean, even if the thing is encrypted he'll be able to view the initialization process so I don't get it how a connection can really be secure for the user, at least on the provider side.

wireless is extremely vulnerable to man in the middle attacks...but if you've got encryption like SSL then your data is absolutely secure

[trip6]

I am a network engineer... Here is the down low on SSL or Secure Socket Layer encryption. SSL has its own TCP port 443. SSL is commonly used with HTTPS protocol. TCP is a session oriented protocol, meaning that the client and the server establish a session before communication takes place. What SSL does is setup an encryption algorithm for that session based on a security certificate, if you don't have the correct algorithm you cannot transmit data to that session. Can it be hacked yes, just like anything it just takes along time. Security is finite not infinite so all security can be cracked given an appropriate amount of time and the appropraite resources to do so. But it creates enough of a stumbling block that 90% of the people trying to crack it, give up before they can or do not have the resources or knowledge to do so. Think of it as a safe, I can break into a safe but if the walls are 20 foot thick, I may have to risk myself and have significant resources to do so. Hope that makes sense to you... Feel free to ask questions.

[Ami_GFX]

Yes, SSL is secure. The weak point is not the protocol but the user--ie, if some hacker obtains your Paypal password through a trojan, phishing scheme, or whatever means, his access to your account will be just as secure as yours. Making sure your computer is malware free and avoiding using computers that you're not sure about for anything but casual surfing and never clicking on direct links in emails will help out a lot on the user end of the equation.

[InTheSand]

Floid wrote:
idiots sharing customer_data.xls on an open WebDAV share

Heh! Are people/companies really that stupid??!  :lol:

 - Ali

[Jose]

All seems pretty straightforward, still a doubt poped up about when using wireless but logged in here today and you guys have already answered that:)

So as I see it, I don't care if anyone spies on the sites that I visit when using wireless connection, cause the ones with sensitive information are encrypted.

[Jose]

Kind of makes using a more uncommon platform a very good choice when it comes to security doesn't it.. :-)

[Zac67]

@trip6

Just to put your statement into scale: to break into a safe w/ 20 feet walls, you need what? a month?

To break an AES-256 key using every piece of hardware on this planet, you'd need several times longer than the current age of the universe (actually you're not even beginning to get to the same scale here), using much, much more power than the universe has got - and yes, I have converted all matter to energy for that purpose...

So, with today's technology you can safely assume AES-256 or RC5-256 (or even 128 bit keys) to be secure. This may rapidly change once reasonably sized quantum computers become available, but that'll take a bit.

PS: The still commonly used RC4 encryption has some weaknesses (e.g. in WEP), so it must be carefully implemented and use appropriate key lengths. E.g. WPA can still be considered secure whereas WEP is highly compromised. WPA2 (optionally) uses AES, so it's the best choice for wireless LAN encryption.

[Piru]

@Jose

Here's an article you might find interesting, too:
Secure programming with the OpenSSL API, Part 2: Secure handshake

[Jose]

"Here's an article you might find interesting, too: ..."

Very :-)

[vk3heg]

InTheSand wrote:

Floid wrote:
idiots sharing customer_data.xls on an open WebDAV share

Heh! Are people/companies really that stupid??!  :lol:

 - Ali

YES!

:roll: :shocked:

[uncharted]

Jose wrote:
All seems pretty straightforward, still a doubt poped up about when using wireless but logged in here today and you guys have already answered that:)

So as I see it, I don't care if anyone spies on the sites that I visit when using wireless connection, cause the ones with sensitive information are encrypted.

Wireless routers can be set up with WPA encryption for an additional layer of security.