SSL HTTPS:// Visibility

Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
the full HTTPS:// link??
For example if I visited
https://myserver.com/mystuff/keepout...umber129878943 would that be
visible IP traffic??

If so is there any way around this?

Thanks in advance for any feedback.

Sparkey

anon

"anon" <> wrote in message
news:busceh$qvp$...
> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to
say
> the full HTTPS:// link??
> For example if I visited
> https://myserver.com/mystuff/keepout...umber129878943 would that be
> visible IP traffic??

By definition, IP traffic is visible (pulling out the cable is the only way
to get around that one ;o)

What it /isn't/ is comprehensible to a sniffer (although there are - IIRC -
one or two negotiation exploits that could have been used in the past to
retrospectively analyse traffic. I'll also avoid mention of
man-in-the-middle exploits..)

The actual HTTP request (GET /mystuff/keepout.html?pinnumber129878943) will
be encrypted. It's still vulnerable if the box itself is compromised,
though - far better to use authentication IMHO.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

In article <busceh$qvp$>, says...
> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
> the full HTTPS:// link??
> For example if I visited
> https://myserver.com/mystuff/keepout...umber129878943 would that be
> visible IP traffic??
>
> If so is there any way around this?
>
> Thanks in advance for any feedback.
>
> Sparkey
>
>
>
>
>


The URL _will_be_ visible, unless you're using an "encoded url" scheme,
such as the one provided in the CGI/Web Proxy of www.cotse.net, which
"encodes" the url from something like http://www.cnn.com/newsstory.html
to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
similar).




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:

> In article <busceh$qvp$>, says...
>> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
>> the full HTTPS:// link??
>> For example if I visited
>> https://myserver.com/mystuff/keepout...umber129878943 would that be
>> visible IP traffic??
>>
>> If so is there any way around this?
>>
>> Thanks in advance for any feedback.
>>
>> Sparkey
>>
>>
>>
>>
>>
>
>
> The URL _will_be_ visible, unless you're using an "encoded url" scheme,
> such as the one provided in the CGI/Web Proxy of www.cotse.net, which
> "encodes" the url from something like http://www.cnn.com/newsstory.html
> to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
> similar).

Not true. The only thing that is visible is the HOST. The path is part of
the encrypted channel, and thus not visible to anybody.

In other words the ISP knows you have connected to https://myserver.com
but has no idea what page you viewed or what query parameters you sent
(the /mystuff/keepout.html?pinnumber129878943 in this case).

Using an anonymous SSL proxy would eliminate even the HOST part - if you
consider that necessary (e.g. if you are worried about traffic analysis),
but then you have to trust the proxy operator not to blow the whistle.
--
Mailman



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

I am reading some uber-geek crypto stuff. looks like SSL ain't quite all
it's cracked up to be.

http://www.rsasecurity.com/rsalabs/faq/5-1-2.html

do a google on "SSL AND myths"

"anon" <> wrote in
news:busceh$qvp$:

> Q. Can an ISP or packet sniffers view fully all SSL requests, that is
> to say the full HTTPS:// link??
> For example if I visited
> https://myserver.com/mystuff/keepout...umber129878943 would
> that be visible IP traffic??
>
> If so is there any way around this?
>
> Thanks in advance for any feedback.
>
> Sparkey
>
>
>
>



--
Rowdy Yates
I am Against-TCPA
http://www.againsttcpa.com

"Rowdy Yates" <> wrote in message
news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.9 5.104...
> I am reading some uber-geek crypto stuff. looks like SSL ain't quite all
> it's cracked up to be.

Aside from the couple of things that have already been mentioned, how about
a cite? Google's quite large.. ;o)

H1K

In article <>,
says...
> On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:
>
> > In article <busceh$qvp$>, says...
> >> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
> >> the full HTTPS:// link??
> >> For example if I visited
> >> https://myserver.com/mystuff/keepout...umber129878943 would that be
> >> visible IP traffic??
> >>
> >> If so is there any way around this?
> >>
> >> Thanks in advance for any feedback.
> >>
> >> Sparkey
> >>
> >>
> >>
> >>
> >>
> >
> >
> > The URL _will_be_ visible, unless you're using an "encoded url" scheme,
> > such as the one provided in the CGI/Web Proxy of www.cotse.net, which
> > "encodes" the url from something like http://www.cnn.com/newsstory.html
> > to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
> > similar).
>
> Not true. The only thing that is visible is the HOST. The path is part of
> the encrypted channel, and thus not visible to anybody.
>
> In other words the ISP knows you have connected to https://myserver.com
> but has no idea what page you viewed or what query parameters you sent
> (the /mystuff/keepout.html?pinnumber129878943 in this case).
>
> Using an anonymous SSL proxy would eliminate even the HOST part - if you
> consider that necessary (e.g. if you are worried about traffic analysis),
> but then you have to trust the proxy operator not to blow the whistle.
>


My mistake. I was under the impression that the URL is completely
visible. I never checked that information out for myself (had no reason
to, didn't really care if anyone watched what I was looking at or not),
at any rate, when you said the above, I got out a sniffer and took a
look at an https connection, sure enough, nothing about the filename was
evident.


--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

"Colonel Flagg" <> wrote in
message news:.. .
> In article <>,
> says...
> > On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:

<snip>

> > > The URL _will_be_ visible, unless you're using an "encoded url"
scheme,
> > > such as the one provided in the CGI/Web Proxy of www.cotse.net, which
> > > "encodes" the url from something like
http://www.cnn.com/newsstory.html
> > > to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or
something
> > > similar).
> >
> > Not true. The only thing that is visible is the HOST. The path is part
of
> > the encrypted channel, and thus not visible to anybody.

<snip>

> My mistake. I was under the impression that the URL is completely
> visible. I never checked that information out for myself (had no reason
> to, didn't really care if anyone watched what I was looking at or not),
> at any rate, when you said the above, I got out a sniffer and took a
> look at an https connection, sure enough, nothing about the filename was
> evident.

FWIW, it's an easy mistake to make - with everyone so used to using URLs,
it's easy to forget that there's a bunch of underlying protocols that are
doing the "real" work.

H1K

In article <B6FQb.10307$>, abuse@
[127.0.0.1] says...

> FWIW, it's an easy mistake to make - with everyone so used to using URLs,
> it's easy to forget that there's a bunch of underlying protocols that are
> doing the "real" work.
>
> H1K
>
>
>


didn't forget about the SSL/https, didn't realize that everything after
the domain was also encrypted. I just assumed, based on incorrect
information that was given to me previously, that the entire URL was
visible, just the content was encrypted.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

the info was in the book. also on the accompanying cd-rom. it was covered
in RSA conference in 2000/2001. sounds like it was part of
notes/minutes/transcript of one of the speakers.

if you are that interested, i can dig it up.

ry

"Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
news:SpxQb.10007$:

> "Rowdy Yates" <> wrote in message
> news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.9 5.104...
>> I am reading some uber-geek crypto stuff. looks like SSL ain't quite
>> all it's cracked up to be.
>
> Aside from the couple of things that have already been mentioned, how
> about a cite? Google's quite large.. ;o)
>
> H1K
>
>
>



--
Rowdy Yates
I am Against-TCPA
http://www.againsttcpa.com