SSL HTTPS:// Visibility

Discussion in 'Computer Security' started by anon, Jan 23, 2004.

  1. anon

    anon Guest

    Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
    the full HTTPS:// link??
    For example if I visited
    https://myserver.com/mystuff/keepout.html?pinnumber129878943 would that be
    visible IP traffic??

    If so is there any way around this?

    Thanks in advance for any feedback.

    Sparkey
    anon, Jan 23, 2004
    #1
    1. Advertising

  2. "anon" <> wrote in message
    news:busceh$qvp$...
    > Q. Can an ISP or packet sniffers view fully all SSL requests, that is to

    say
    > the full HTTPS:// link??
    > For example if I visited
    > https://myserver.com/mystuff/keepout.html?pinnumber129878943 would that be
    > visible IP traffic??


    By definition, IP traffic is visible (pulling out the cable is the only way
    to get around that one ;o)

    What it /isn't/ is comprehensible to a sniffer (although there are - IIRC -
    one or two negotiation exploits that could have been used in the past to
    retrospectively analyse traffic. I'll also avoid mention of
    man-in-the-middle exploits..)

    The actual HTTP request (GET /mystuff/keepout.html?pinnumber129878943) will
    be encrypted. It's still vulnerable if the box itself is compromised,
    though - far better to use authentication IMHO.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
    Hairy One Kenobi, Jan 24, 2004
    #2
    1. Advertising

  3. In article <busceh$qvp$>, says...
    > Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
    > the full HTTPS:// link??
    > For example if I visited
    > https://myserver.com/mystuff/keepout.html?pinnumber129878943 would that be
    > visible IP traffic??
    >
    > If so is there any way around this?
    >
    > Thanks in advance for any feedback.
    >
    > Sparkey
    >
    >
    >
    >
    >



    The URL _will_be_ visible, unless you're using an "encoded url" scheme,
    such as the one provided in the CGI/Web Proxy of www.cotse.net, which
    "encodes" the url from something like http://www.cnn.com/newsstory.html
    to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
    similar).




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 24, 2004
    #3
  4. anon

    Mailman Guest

    On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:

    > In article <busceh$qvp$>, says...
    >> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
    >> the full HTTPS:// link??
    >> For example if I visited
    >> https://myserver.com/mystuff/keepout.html?pinnumber129878943 would that be
    >> visible IP traffic??
    >>
    >> If so is there any way around this?
    >>
    >> Thanks in advance for any feedback.
    >>
    >> Sparkey
    >>
    >>
    >>
    >>
    >>

    >
    >
    > The URL _will_be_ visible, unless you're using an "encoded url" scheme,
    > such as the one provided in the CGI/Web Proxy of www.cotse.net, which
    > "encodes" the url from something like http://www.cnn.com/newsstory.html
    > to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
    > similar).


    Not true. The only thing that is visible is the HOST. The path is part of
    the encrypted channel, and thus not visible to anybody.

    In other words the ISP knows you have connected to https://myserver.com
    but has no idea what page you viewed or what query parameters you sent
    (the /mystuff/keepout.html?pinnumber129878943 in this case).

    Using an anonymous SSL proxy would eliminate even the HOST part - if you
    consider that necessary (e.g. if you are worried about traffic analysis),
    but then you have to trust the proxy operator not to blow the whistle.
    --
    Mailman



    -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
    http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
    -----== Over 100,000 Newsgroups - 19 Different Servers! =-----
    Mailman, Jan 24, 2004
    #4
  5. anon

    Rowdy Yates Guest

    I am reading some uber-geek crypto stuff. looks like SSL ain't quite all
    it's cracked up to be.

    http://www.rsasecurity.com/rsalabs/faq/5-1-2.html

    do a google on "SSL AND myths"

    "anon" <> wrote in
    news:busceh$qvp$:

    > Q. Can an ISP or packet sniffers view fully all SSL requests, that is
    > to say the full HTTPS:// link??
    > For example if I visited
    > https://myserver.com/mystuff/keepout.html?pinnumber129878943 would
    > that be visible IP traffic??
    >
    > If so is there any way around this?
    >
    > Thanks in advance for any feedback.
    >
    > Sparkey
    >
    >
    >
    >




    --
    Rowdy Yates
    I am Against-TCPA
    http://www.againsttcpa.com
    Rowdy Yates, Jan 24, 2004
    #5
  6. "Rowdy Yates" <> wrote in message
    news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.95.104...
    > I am reading some uber-geek crypto stuff. looks like SSL ain't quite all
    > it's cracked up to be.


    Aside from the couple of things that have already been mentioned, how about
    a cite? Google's quite large.. ;o)

    H1K
    Hairy One Kenobi, Jan 24, 2004
    #6
  7. In article <>,
    says...
    > On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:
    >
    > > In article <busceh$qvp$>, says...
    > >> Q. Can an ISP or packet sniffers view fully all SSL requests, that is to say
    > >> the full HTTPS:// link??
    > >> For example if I visited
    > >> https://myserver.com/mystuff/keepout.html?pinnumber129878943 would that be
    > >> visible IP traffic??
    > >>
    > >> If so is there any way around this?
    > >>
    > >> Thanks in advance for any feedback.
    > >>
    > >> Sparkey
    > >>
    > >>
    > >>
    > >>
    > >>

    > >
    > >
    > > The URL _will_be_ visible, unless you're using an "encoded url" scheme,
    > > such as the one provided in the CGI/Web Proxy of www.cotse.net, which
    > > "encodes" the url from something like http://www.cnn.com/newsstory.html
    > > to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or something
    > > similar).

    >
    > Not true. The only thing that is visible is the HOST. The path is part of
    > the encrypted channel, and thus not visible to anybody.
    >
    > In other words the ISP knows you have connected to https://myserver.com
    > but has no idea what page you viewed or what query parameters you sent
    > (the /mystuff/keepout.html?pinnumber129878943 in this case).
    >
    > Using an anonymous SSL proxy would eliminate even the HOST part - if you
    > consider that necessary (e.g. if you are worried about traffic analysis),
    > but then you have to trust the proxy operator not to blow the whistle.
    >



    My mistake. I was under the impression that the URL is completely
    visible. I never checked that information out for myself (had no reason
    to, didn't really care if anyone watched what I was looking at or not),
    at any rate, when you said the above, I got out a sniffer and took a
    look at an https connection, sure enough, nothing about the filename was
    evident.


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 24, 2004
    #7
  8. "Colonel Flagg" <> wrote in
    message news:...
    > In article <>,
    > says...
    > > On Sat, 24 Jan 2004 09:55:18 -0500, Colonel Flagg wrote:


    <snip>

    > > > The URL _will_be_ visible, unless you're using an "encoded url"

    scheme,
    > > > such as the one provided in the CGI/Web Proxy of www.cotse.net, which
    > > > "encodes" the url from something like

    http://www.cnn.com/newsstory.html
    > > > to http://www.cotse.net/web.cgi?23454825924yr87w465087365 (or

    something
    > > > similar).

    > >
    > > Not true. The only thing that is visible is the HOST. The path is part

    of
    > > the encrypted channel, and thus not visible to anybody.


    <snip>

    > My mistake. I was under the impression that the URL is completely
    > visible. I never checked that information out for myself (had no reason
    > to, didn't really care if anyone watched what I was looking at or not),
    > at any rate, when you said the above, I got out a sniffer and took a
    > look at an https connection, sure enough, nothing about the filename was
    > evident.


    FWIW, it's an easy mistake to make - with everyone so used to using URLs,
    it's easy to forget that there's a bunch of underlying protocols that are
    doing the "real" work.

    H1K
    Hairy One Kenobi, Jan 25, 2004
    #8
  9. In article <B6FQb.10307$>, abuse@
    [127.0.0.1] says...

    > FWIW, it's an easy mistake to make - with everyone so used to using URLs,
    > it's easy to forget that there's a bunch of underlying protocols that are
    > doing the "real" work.
    >
    > H1K
    >
    >
    >



    didn't forget about the SSL/https, didn't realize that everything after
    the domain was also encrypted. I just assumed, based on incorrect
    information that was given to me previously, that the entire URL was
    visible, just the content was encrypted.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 25, 2004
    #9
  10. anon

    Rowdy Yates Guest

    the info was in the book. also on the accompanying cd-rom. it was covered
    in RSA conference in 2000/2001. sounds like it was part of
    notes/minutes/transcript of one of the speakers.

    if you are that interested, i can dig it up.

    ry

    "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
    news:SpxQb.10007$:

    > "Rowdy Yates" <> wrote in message
    > news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.95.104...
    >> I am reading some uber-geek crypto stuff. looks like SSL ain't quite
    >> all it's cracked up to be.

    >
    > Aside from the couple of things that have already been mentioned, how
    > about a cite? Google's quite large.. ;o)
    >
    > H1K
    >
    >
    >




    --
    Rowdy Yates
    I am Against-TCPA
    http://www.againsttcpa.com
    Rowdy Yates, Jan 27, 2004
    #10
  11. anon

    Rowdy Yates Guest

    try this...it's old news....

    http://www.theregister.co.uk/content/55/21685.html



    Rowdy Yates <> wrote in
    news:Xns947CD7B2D32BDrowdyyatesnospamlyco@66.185.95.104:

    > the info was in the book. also on the accompanying cd-rom. it was
    > covered in RSA conference in 2000/2001. sounds like it was part of
    > notes/minutes/transcript of one of the speakers.
    >
    > if you are that interested, i can dig it up.
    >
    > ry
    >
    > "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
    > news:SpxQb.10007$:
    >
    >> "Rowdy Yates" <> wrote in message
    >> news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.95.104...
    >>> I am reading some uber-geek crypto stuff. looks like SSL ain't quite
    >>> all it's cracked up to be.

    >>
    >> Aside from the couple of things that have already been mentioned, how
    >> about a cite? Google's quite large.. ;o)
    >>
    >> H1K
    >>
    >>
    >>

    >
    >
    >




    --
    Rowdy Yates
    I am Against-TCPA
    http://www.againsttcpa.com
    Rowdy Yates, Jan 27, 2004
    #11
  12. anon

    Rowdy Yates Guest

    http://ucsu.colorado.edu/~breitenm/ssl.html



    Rowdy Yates <> wrote in
    news:Xns947CD7FAC2EC4rowdyyatesnospamlyco@66.185.95.104:

    > try this...it's old news....
    >
    > http://www.theregister.co.uk/content/55/21685.html
    >
    >
    >
    > Rowdy Yates <> wrote in
    > news:Xns947CD7B2D32BDrowdyyatesnospamlyco@66.185.95.104:
    >
    >> the info was in the book. also on the accompanying cd-rom. it was
    >> covered in RSA conference in 2000/2001. sounds like it was part of
    >> notes/minutes/transcript of one of the speakers.
    >>
    >> if you are that interested, i can dig it up.
    >>
    >> ry
    >>
    >> "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
    >> news:SpxQb.10007$:
    >>
    >>> "Rowdy Yates" <> wrote in message
    >>> news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.95.104...
    >>>> I am reading some uber-geek crypto stuff. looks like SSL ain't quite
    >>>> all it's cracked up to be.
    >>>
    >>> Aside from the couple of things that have already been mentioned, how
    >>> about a cite? Google's quite large.. ;o)
    >>>
    >>> H1K
    >>>
    >>>
    >>>

    >>
    >>
    >>

    >
    >
    >




    --
    Rowdy Yates
    I am Against-TCPA
    http://www.againsttcpa.com
    Rowdy Yates, Jan 27, 2004
    #12
  13. "Rowdy Yates" <> wrote in message
    news:Xns947CD7FAC2EC4rowdyyatesnospamlyco@66.185.95.104...
    > try this...it's old news....
    >
    > http://www.theregister.co.uk/content/55/21685.html


    Yep, that's one one I was thinking of (a negotiation flaw in one specific
    toolkit). Didn't mention the Man-in-the-Middle certificate problem (mainly
    because I'd forgotten about it ;o) IIRC, that was patched a few years ago..

    I'd welcome any information about current flaws..

    H1K

    > Rowdy Yates <> wrote in
    > news:Xns947CD7B2D32BDrowdyyatesnospamlyco@66.185.95.104:
    >
    > > the info was in the book. also on the accompanying cd-rom. it was
    > > covered in RSA conference in 2000/2001. sounds like it was part of
    > > notes/minutes/transcript of one of the speakers.
    > >
    > > if you are that interested, i can dig it up.
    > >
    > > ry
    > >
    > > "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
    > > news:SpxQb.10007$:
    > >
    > >> "Rowdy Yates" <> wrote in message
    > >> news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.95.104...
    > >>> I am reading some uber-geek crypto stuff. looks like SSL ain't quite
    > >>> all it's cracked up to be.
    > >>
    > >> Aside from the couple of things that have already been mentioned, how
    > >> about a cite? Google's quite large.. ;o)
    Hairy One Kenobi, Jan 27, 2004
    #13
  14. anon

    Rowdy Yates Guest

    he..he..

    1st rule of crypto. there is always a current flaw. it's just thats no one
    is talking.

    "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
    news:YrpRb.11612$:

    > "Rowdy Yates" <> wrote in message
    > news:Xns947CD7FAC2EC4rowdyyatesnospamlyco@66.185.95.104...
    >> try this...it's old news....
    >>
    >> http://www.theregister.co.uk/content/55/21685.html

    >
    > Yep, that's one one I was thinking of (a negotiation flaw in one
    > specific toolkit). Didn't mention the Man-in-the-Middle certificate
    > problem (mainly because I'd forgotten about it ;o) IIRC, that was
    > patched a few years ago..
    >
    > I'd welcome any information about current flaws..
    >
    > H1K
    >
    >> Rowdy Yates <> wrote in
    >> news:Xns947CD7B2D32BDrowdyyatesnospamlyco@66.185.95.104:
    >>
    >> > the info was in the book. also on the accompanying cd-rom. it was
    >> > covered in RSA conference in 2000/2001. sounds like it was part of
    >> > notes/minutes/transcript of one of the speakers.
    >> >
    >> > if you are that interested, i can dig it up.
    >> >
    >> > ry
    >> >
    >> > "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
    >> > news:SpxQb.10007$:
    >> >
    >> >> "Rowdy Yates" <> wrote in message
    >> >> news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.95.104...
    >> >>> I am reading some uber-geek crypto stuff. looks like SSL ain't
    >> >>> quite all it's cracked up to be.
    >> >>
    >> >> Aside from the couple of things that have already been mentioned,
    >> >> how about a cite? Google's quite large.. ;o)

    >
    >
    >




    --
    Rowdy Yates
    I am Against-TCPA
    http://www.againsttcpa.com
    Rowdy Yates, Jan 28, 2004
    #14
  15. "Rowdy Yates" <> wrote in message
    news:Xns947DE4D05EE2Crowdyyatesnospamlyco@66.185.95.104...
    > he..he..
    >
    > 1st rule of crypto. there is always a current flaw. it's just thats no one
    > is talking.


    It's not specific to cryptography:

    1. Any program contains at least one unknown bug
    2. Any program can be decreased in size by at least one operand

    Proof by intimidation: Any program can be reduced in size to one operand.
    And won't work. ;o)

    H1K

    > "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
    > news:YrpRb.11612$:
    >
    > > "Rowdy Yates" <> wrote in message
    > > news:Xns947CD7FAC2EC4rowdyyatesnospamlyco@66.185.95.104...
    > >> try this...it's old news....
    > >>
    > >> http://www.theregister.co.uk/content/55/21685.html

    > >
    > > Yep, that's one one I was thinking of (a negotiation flaw in one
    > > specific toolkit). Didn't mention the Man-in-the-Middle certificate
    > > problem (mainly because I'd forgotten about it ;o) IIRC, that was
    > > patched a few years ago..
    > >
    > > I'd welcome any information about current flaws..
    > >
    > > H1K
    > >
    > >> Rowdy Yates <> wrote in
    > >> news:Xns947CD7B2D32BDrowdyyatesnospamlyco@66.185.95.104:
    > >>
    > >> > the info was in the book. also on the accompanying cd-rom. it was
    > >> > covered in RSA conference in 2000/2001. sounds like it was part of
    > >> > notes/minutes/transcript of one of the speakers.
    > >> >
    > >> > if you are that interested, i can dig it up.
    > >> >
    > >> > ry
    > >> >
    > >> > "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in
    > >> > news:SpxQb.10007$:
    > >> >
    > >> >> "Rowdy Yates" <> wrote in message
    > >> >> news:Xns947A74F09873Erowdyyatesnospamlyco@66.185.95.104...
    > >> >>> I am reading some uber-geek crypto stuff. looks like SSL ain't
    > >> >>> quite all it's cracked up to be.
    > >> >>
    > >> >> Aside from the couple of things that have already been mentioned,
    > >> >> how about a cite? Google's quite large.. ;o)

    > >
    > >
    > >

    >
    >
    >
    > --
    > Rowdy Yates
    > I am Against-TCPA
    > http://www.againsttcpa.com
    Hairy One Kenobi, Jan 28, 2004
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dennis Jelavic

    Netwok Visibility

    Dennis Jelavic, Feb 12, 2005, in forum: Wireless Networking
    Replies:
    8
    Views:
    1,675
    Robert Jacobs
    Feb 15, 2005
  2. Olivier PELERIN

    SSL with backend SSL on CSS 11500

    Olivier PELERIN, Aug 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,658
    Olivier PELERIN
    Aug 30, 2004
  3. =?Utf-8?B?ZHl2aW01Nw==?=
    Replies:
    9
    Views:
    5,528
    Lasher a.k.a. Taylor
    Dec 20, 2005
  4. jenny
    Replies:
    0
    Views:
    940
    jenny
    Nov 30, 2006
  5. Replies:
    0
    Views:
    390
Loading...

Share This Page