Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > SSL HTTPS:// Visibility

Reply
Thread Tools

SSL HTTPS:// Visibility

 
 
anon
Guest
Posts: n/a
 
      01-23-2004
Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
the full HTTPS:// link??
For example if I visited
https://myserver.com/mystuff/keepout...umber129878943 would that be
visible IP traffic??

If so is there any way around this?

Thanks in advance for any feedback.

Sparkey




 
Reply With Quote
 
 
 
 
Hairy One Kenobi
Guest
Posts: n/a
 
      01-24-2004
"anon" <(E-Mail Removed)> wrote in message
news:busceh$qvp$(E-Mail Removed)...
> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to

say
> the full HTTPS:// link??
> For example if I visited
> https://myserver.com/mystuff/keepout...umber129878943 would that be
> visible IP traffic??


By definition, IP traffic is visible (pulling out the cable is the only way
to get around that one ;o)

What it /isn't/ is comprehensible to a sniffer (although there are - IIRC -
one or two negotiation exploits that could have been used in the past to
retrospectively analyse traffic. I'll also avoid mention of
man-in-the-middle exploits..)

The actual HTTP request (GET /mystuff/keepout.html?pinnumber129878943) will
be encrypted. It's still vulnerable if the box itself is compromised,
though - far better to use authentication IMHO.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


 
Reply With Quote
 
 
 
 
Colonel Flagg
Guest
Posts: n/a
 
      01-24-2004
In article <busceh$qvp$(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
> the full HTTPS:// link??
> For example if I visited
> https://myserver.com/mystuff/keepout...umber129878943 would that be
> visible IP traffic??
>
> If so is there any way around this?
>
> Thanks in advance for any feedback.
>
> Sparkey
>
>
>
>
>



The URL _will_be_ visible, unless you're using an "encoded url" scheme,
such as the one provided in the CGI/Web Proxy of www.cotse.net, which
"encodes" the url from something like http://www.cnn.com/newsstory.html
to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
similar).




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
Reply With Quote
 
Mailman
Guest
Posts: n/a
 
      01-24-2004
On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:

> In article <busceh$qvp$(E-Mail Removed)>, (E-Mail Removed) says...
>> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
>> the full HTTPS:// link??
>> For example if I visited
>> https://myserver.com/mystuff/keepout...umber129878943 would that be
>> visible IP traffic??
>>
>> If so is there any way around this?
>>
>> Thanks in advance for any feedback.
>>
>> Sparkey
>>
>>
>>
>>
>>

>
>
> The URL _will_be_ visible, unless you're using an "encoded url" scheme,
> such as the one provided in the CGI/Web Proxy of www.cotse.net, which
> "encodes" the url from something like http://www.cnn.com/newsstory.html
> to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
> similar).


Not true. The only thing that is visible is the HOST. The path is part of
the encrypted channel, and thus not visible to anybody.

In other words the ISP knows you have connected to https://myserver.com
but has no idea what page you viewed or what query parameters you sent
(the /mystuff/keepout.html?pinnumber129878943 in this case).

Using an anonymous SSL proxy would eliminate even the HOST part - if you
consider that necessary (e.g. if you are worried about traffic analysis),
but then you have to trust the proxy operator not to blow the whistle.
--
Mailman



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
 
Reply With Quote
 
Rowdy Yates
Guest
Posts: n/a
 
      01-24-2004
I am reading some uber-geek crypto stuff. looks like SSL ain't quite all
it's cracked up to be.

http://www.rsasecurity.com/rsalabs/faq/5-1-2.html

do a google on "SSL AND myths"

"anon" <(E-Mail Removed)> wrote in
news:busceh$qvp$(E-Mail Removed):

> Q. Can an ISP or packet sniffers view fully all SSL requests, that is
> to say the full HTTPS:// link??
> For example if I visited
> https://myserver.com/mystuff/keepout...umber129878943 would
> that be visible IP traffic??
>
> If so is there any way around this?
>
> Thanks in advance for any feedback.
>
> Sparkey
>
>
>
>




--
Rowdy Yates
I am Against-TCPA
http://www.againsttcpa.com
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      01-24-2004
"Rowdy Yates" <(E-Mail Removed)> wrote in message
news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.9 5.104...
> I am reading some uber-geek crypto stuff. looks like SSL ain't quite all
> it's cracked up to be.


Aside from the couple of things that have already been mentioned, how about
a cite? Google's quite large.. ;o)

H1K


 
Reply With Quote
 
Colonel Flagg
Guest
Posts: n/a
 
      01-24-2004
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:
>
> > In article <busceh$qvp$(E-Mail Removed)>, (E-Mail Removed) says...
> >> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
> >> the full HTTPS:// link??
> >> For example if I visited
> >> https://myserver.com/mystuff/keepout...umber129878943 would that be
> >> visible IP traffic??
> >>
> >> If so is there any way around this?
> >>
> >> Thanks in advance for any feedback.
> >>
> >> Sparkey
> >>
> >>
> >>
> >>
> >>

> >
> >
> > The URL _will_be_ visible, unless you're using an "encoded url" scheme,
> > such as the one provided in the CGI/Web Proxy of www.cotse.net, which
> > "encodes" the url from something like http://www.cnn.com/newsstory.html
> > to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
> > similar).

>
> Not true. The only thing that is visible is the HOST. The path is part of
> the encrypted channel, and thus not visible to anybody.
>
> In other words the ISP knows you have connected to https://myserver.com
> but has no idea what page you viewed or what query parameters you sent
> (the /mystuff/keepout.html?pinnumber129878943 in this case).
>
> Using an anonymous SSL proxy would eliminate even the HOST part - if you
> consider that necessary (e.g. if you are worried about traffic analysis),
> but then you have to trust the proxy operator not to blow the whistle.
>



My mistake. I was under the impression that the URL is completely
visible. I never checked that information out for myself (had no reason
to, didn't really care if anyone watched what I was looking at or not),
at any rate, when you said the above, I got out a sniffer and took a
look at an https connection, sure enough, nothing about the filename was
evident.


--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
Reply With Quote
 
Hairy One Kenobi
Guest
Posts: n/a
 
      01-25-2004
"Colonel Flagg" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed).. .
> In article <(E-Mail Removed)>,
> (E-Mail Removed) says...
> > On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:


<snip>

> > > The URL _will_be_ visible, unless you're using an "encoded url"

scheme,
> > > such as the one provided in the CGI/Web Proxy of www.cotse.net, which
> > > "encodes" the url from something like

http://www.cnn.com/newsstory.html
> > > to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or

something
> > > similar).

> >
> > Not true. The only thing that is visible is the HOST. The path is part

of
> > the encrypted channel, and thus not visible to anybody.


<snip>

> My mistake. I was under the impression that the URL is completely
> visible. I never checked that information out for myself (had no reason
> to, didn't really care if anyone watched what I was looking at or not),
> at any rate, when you said the above, I got out a sniffer and took a
> look at an https connection, sure enough, nothing about the filename was
> evident.


FWIW, it's an easy mistake to make - with everyone so used to using URLs,
it's easy to forget that there's a bunch of underlying protocols that are
doing the "real" work.

H1K


 
Reply With Quote
 
Colonel Flagg
Guest
Posts: n/a
 
      01-25-2004
In article <B6FQb.10307$(E-Mail Removed)>, abuse@
[127.0.0.1] says...

> FWIW, it's an easy mistake to make - with everyone so used to using URLs,
> it's easy to forget that there's a bunch of underlying protocols that are
> doing the "real" work.
>
> H1K
>
>
>



didn't forget about the SSL/https, didn't realize that everything after
the domain was also encrypted. I just assumed, based on incorrect
information that was given to me previously, that the entire URL was
visible, just the content was encrypted.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
Reply With Quote
 
Rowdy Yates
Guest
Posts: n/a
 
      01-27-2004
the info was in the book. also on the accompanying cd-rom. it was covered
in RSA conference in 2000/2001. sounds like it was part of
notes/minutes/transcript of one of the speakers.

if you are that interested, i can dig it up.

ry

"Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
news:SpxQb.10007$(E-Mail Removed):

> "Rowdy Yates" <(E-Mail Removed)> wrote in message
> news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.9 5.104...
>> I am reading some uber-geek crypto stuff. looks like SSL ain't quite
>> all it's cracked up to be.

>
> Aside from the couple of things that have already been mentioned, how
> about a cite? Google's quite large.. ;o)
>
> H1K
>
>
>




--
Rowdy Yates
I am Against-TCPA
http://www.againsttcpa.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"Failed set trust point in ssl context" when using SSL communication emukang Java 0 12-20-2005 04:54 PM
Response.Redirect from SSL to non SSL with port drops port. Sean Wolfe ASP .Net 1 04-28-2005 07:49 PM
SSL with backend SSL on CSS 11500 Olivier PELERIN Cisco 0 08-30-2004 08:30 PM
How to imbed non-SSL links within SSL pages without using code CW ASP .Net 2 05-02-2004 01:40 PM
From non-ssl area to ssl ara with a virtual href path? 620 ASP .Net 2 01-06-2004 09:58 PM



Advertisments