SSL question

Discussion in 'Computer Security' started by Jim Watt, May 5, 2006.

  1. Jim Watt

    Jim Watt Guest

    If I have a secure server and open a frame on another non secure
    webserver is the data to the browser from the frame encrypted?
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 5, 2006
    #1
    1. Advertising

  2. Jim Watt

    TwistyCreek Guest

    Jim Watt wrote:

    > If I have a secure server and open a frame on another non secure webserver
    > is the data to the browser from the frame encrypted?


    No.

    Now ask the question properly and you may discover why it's still OK to do
    things like this in most cases.
     
    TwistyCreek, May 5, 2006
    #2
    1. Advertising

  3. TwistyCreek wrote:
    > Jim Watt wrote:
    >
    >> If I have a secure server and open a frame on another non secure webserver
    >> is the data to the browser from the frame encrypted?

    >
    > No.
    >
    > Now ask the question properly and you may discover why it's still OK to do
    > things like this in most cases.


    Beside that it will make your address bar change from yellow to red,
    orange or white, a broken SSL icon and a warning about mixed content
    popping up, what exactly is the purpose of such a stupid thing except
    giving a wonderful opportunity for phishing?
     
    Sebastian Gottschalk, May 5, 2006
    #3
  4. Jim Watt

    TwistyCreek Guest

    Sebastian Gottschalk wrote:

    > TwistyCreek wrote:
    >> Jim Watt wrote:
    >>
    >>> If I have a secure server and open a frame on another non secure
    >>> webserver is the data to the browser from the frame encrypted?

    >>
    >> No.
    >>
    >> Now ask the question properly and you may discover why it's still OK to
    >> do things like this in most cases.

    >
    > Beside that it will make your address bar change from yellow to red,
    > orange or white, a broken SSL icon and a warning about mixed content


    How descriptively myopic of you to base a reply on pretty color changes
    and dummy graphics, and miss the point entirely. <sigh>

    > popping up, what exactly is the purpose of such a stupid thing except
    > giving a wonderful opportunity for phishing?


    Why would you assume that any nefarious motives exist? The question was
    regarding end-to-end encryption and distributed content. And more
    importantly perfect forward security, which SSL never has and never will
    provide.

    Now go back and think real slowly about what was being asked, the answer
    given, and see if you can't manage to stumble across the correct page
    before you reply again.

    Don't worry, nobody will be holding their breath.
     
    TwistyCreek, May 5, 2006
    #4
  5. Jim Watt

    Jim Watt Guest

    On 5 May 2006 19:53:21 -0000, TwistyCreek <>
    wrote:

    I seem to have missed the reply from Sebastian Grottytalk
    however, haven't missed much

    >what exactly is the purpose of such a stupid thing except
    >giving a wonderful opportunity for phishing?


    The purpose of 'such a thing' is devising a mechanism to read
    my webmail whilst using other peoples computers and networks.

    Answers from those with a clue on how are welcomed.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 5, 2006
    #5
  6. TwistyCreek wrote:

    >>> Now ask the question properly and you may discover why it's still OK to
    >>> do things like this in most cases.

    >> Beside that it will make your address bar change from yellow to red,
    >> orange or white, a broken SSL icon and a warning about mixed content

    >
    > How descriptively myopic of you to base a reply on pretty color changes
    > and dummy graphics, and miss the point entirely. <sigh>


    You really don't understand visual SSL indicators in modern webbrowser,
    do you?

    >> popping up, what exactly is the purpose of such a stupid thing except
    >> giving a wonderful opportunity for phishing?

    >
    > Why would you assume that any nefarious motives exist?


    Because of a malicious third party?
    If you can do a
    https://mysecuresite.com/main.php?include=http://someevilsite.com/evil,
    you have a serious problem anyway, but that's exactly what the mixed
    content warning is good for.

    > The question was
    > regarding end-to-end encryption and distributed content. And more
    > importantly perfect forward security, which SSL never has and never will
    > provide.


    There is no need for forwarding, transfering session data can be done
    from server to server by utilizing a simple token.

    > Now go back and think real slowly about what was being asked, the answer
    > given,


    I already did before posting a reply.
     
    Sebastian Gottschalk, May 5, 2006
    #6
  7. Jim Watt

    Todd H. Guest

    Jim Watt <_way> writes:
    > If I have a secure server and open a frame on another non secure
    > webserver is the data to the browser from the frame encrypted?


    Jim, as specified, I'm not sure there are enough details to answre
    this question accurately. For instance, no one can be sure if you're
    using frame in the actual iframe html sense, or in the sense of a
    window popup, without seeing the specific site you're looking to
    access, it's hard to say what's encrypted and what's not, etc.

    Evidently you have a very specific situation in mind. You may wish to
    download and run Ethereal, a freeware sniffer, and capture data and
    review it when logging in and interacting with your email on your own
    machine to see how it might be from another machine.

    Now, even if it is encrypted, your risk accessing email from someone
    else's machine lies more in keylogging and password grabbing from the
    system itself rather than things being sniffed on the wire. This is
    mitigated somewhat if, say, there's a java based keyboard or something
    clever on the site you're accessing to be able to enter your password
    without using the keyboard or OS directly, but even then, you're still
    subject to eavesdropping, and will have some security exposure. Plus
    I haven't seen any such mail system in existence other than in my
    mind.

    If you're using computers you don't own, about the best you can do is
    visually inspect for keyloggers, and boot to a knoppix disk or
    something.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., May 5, 2006
    #7
  8. Jim Watt

    Jim Watt Guest

    On 05 May 2006 16:17:19 -0500, (Todd H.) wrote:

    >I haven't seen any such mail system in existence


    Neither have I, but thats no reason not to try and build
    one. The question is how easily it can be done.

    Thus the question.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 5, 2006
    #8
  9. Jim Watt

    Rick Merrill Guest

    Rick Merrill, May 6, 2006
    #9
  10. Rick Merrill wrote:
    > SSL can be trojaned! - Rick
    >
    >
    > http://weblog.infoworld.com/article/06/05/01/77877_18OPeditor_1.html


    I would at least have written it as "SSL can be tr0janed !!!!!!!!!1112".

    From TFA: "Infoworld.com’s security adviser columnist and contributing
    editor Roger Grimes loves his job. And why not?"

    That's easy to answer:
    <http://images.infoworld.com/img/img_hdshot_82x74_Steve_Fox.gif>
     
    Sebastian Gottschalk, May 6, 2006
    #10
  11. Jim Watt

    Jim Watt Guest

    On Fri, 05 May 2006 19:34:08 -0400, Rick Merrill
    <> wrote:

    >Jim Watt wrote:
    >> If I have a secure server and open a frame on another non secure
    >> webserver is the data to the browser from the frame encrypted?
    >> --
    >> Jim Watt
    >> http://www.gibnet.com

    >
    >SSL can be trojaned! - Rick


    Interesting, but that does not answer the question.

    Hint: the secure server will be mine and the application
    will be webmail on another of my servers.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, May 6, 2006
    #11
  12. Jim Watt

    DRosen Guest

    Jim Watt wrote:
    > On 5 May 2006 19:53:21 -0000, TwistyCreek <>
    > wrote:
    >
    > I seem to have missed the reply from Sebastian Grottytalk
    > however, haven't missed much
    >
    > >what exactly is the purpose of such a stupid thing except
    > >giving a wonderful opportunity for phishing?

    >
    > The purpose of 'such a thing' is devising a mechanism to read
    > my webmail whilst using other peoples computers and networks.
    >
    > Answers from those with a clue on how are welcomed.


    There is no single answer. It will behave however the network
    topography, software configuration, and HTML/PHP/JS/etc tell it to
    behave Jim. You're asking a meaningless question. You need to either
    specifically describe your situation in detail, or just test it
    yourself for crying out loud. Even 2 seconds with a utility that only
    shows TCP headers would tell you exactly what you want to know. At
    least as far as it appears you understand it enough to formulate the
    question. As someone else pointed out it's possible SSL can't provide
    you the sort of security you're looking for at all. Without first you
    understanding what you want, then us, we're wasting our time
    completely.
     
    DRosen, May 6, 2006
    #12
  13. DRosen wrote:
    > Jim Watt wrote:
    >> On 5 May 2006 19:53:21 -0000, TwistyCreek <>
    >> wrote:
    >>
    >> I seem to have missed the reply from Sebastian Grottytalk
    >> however, haven't missed much
    >>
    >>> what exactly is the purpose of such a stupid thing except
    >>> giving a wonderful opportunity for phishing?

    >> The purpose of 'such a thing' is devising a mechanism to read
    >> my webmail whilst using other peoples computers and networks.


    Then have you have already lost, as these untrusted machines control
    both your input and output.
     
    Sebastian Gottschalk, May 6, 2006
    #13
  14. Jim Watt

    DRosen Guest

    TwistyCreek wrote:

    > Why would you assume that any nefarious motives exist? The question was
    > regarding end-to-end encryption and distributed content. And more
    > importantly perfect forward security, which SSL never has and never will
    > provide.


    Mostly correct. SSL provides little forward security, but the browser
    attempts to simulate it. A double edge sword that can both be useful,
    and exploited by a resourceful attacker. One of those compromises
    that's "good enough" for most, but horribly flawed regardless. ;-)

    The issue of forward security is most important because of the
    (unknown) topography and ownership of the network in question, and
    where an attacker might be able to insert himself in that network, not
    so much the issue of whether or not data is encrypted coming into the
    client's machine. Another matter all together, that also can't be
    answered without knowing a lot more.
     
    DRosen, May 6, 2006
    #14
  15. Jim Watt

    DRosen Guest

    Sebastian Gottschalk wrote:

    > >> The purpose of 'such a thing' is devising a mechanism to read
    > >> my webmail whilst using other peoples computers and networks.

    >
    > Then have you have already lost, as these untrusted machines control
    > both your input and output.


    Total nonsense. You have absolutely no idea if any more information
    will be given away by this "forwarding" than would be given away under
    normal circumstances, OR whether Jim isn't aware of and compensating
    for the inherent flaws in email itself with encrypted content or such.

    The simple fact remains that we haven't enough information to even make
    an educated guess. We don't know precisely what Jim wants, how much
    control he has, or how things might be physically configured.
     
    DRosen, May 6, 2006
    #15
  16. DRosen wrote:
    > Sebastian Gottschalk wrote:
    >
    >>>> The purpose of 'such a thing' is devising a mechanism to read
    >>>> my webmail whilst using other peoples computers and networks.

    >> Then have you have already lost, as these untrusted machines control
    >> both your input and output.

    >
    > Total nonsense. You have absolutely no idea if any more information
    > will be given away by this "forwarding" than would be given away under
    > normal circumstances,


    I wouldn't care much about encryption, but about Man-in-the-middle.

    > The simple fact remains that we haven't enough information to even make
    > an educated guess. We don't know precisely what Jim wants, how much
    > control he has, or how things might be physically configured.


    other people's computers and networks == untrusted, until there are
    funded facts about the contrary
     
    Sebastian Gottschalk, May 6, 2006
    #16
  17. DRosen wrote:
    > TwistyCreek wrote:
    >
    >> Why would you assume that any nefarious motives exist? The question was
    >> regarding end-to-end encryption and distributed content. And more
    >> importantly perfect forward security, which SSL never has and never will
    >> provide.

    >
    > Mostly correct. SSL provides little forward security, but the browser
    > attempts to simulate it. A double edge sword that can both be useful,
    > and exploited by a resourceful attacker.


    This is not about forward security, because the attacker can simply do
    his own forwarding, exploiting the trusted context.
     
    Sebastian Gottschalk, May 6, 2006
    #17
  18. Jim Watt

    TwistyCreek Guest

    Sebastian Gottschalk wrote:

    > TwistyCreek wrote:
    >
    >>>> Now ask the question properly and you may discover why it's still OK
    >>>> to do things like this in most cases.
    >>> Beside that it will make your address bar change from yellow to red,
    >>> orange or white, a broken SSL icon and a warning about mixed content

    >>
    >> How descriptively myopic of you to base a reply on pretty color changes
    >> and dummy graphics, and miss the point entirely. <sigh>

    >
    > You really don't understand visual SSL indicators in modern webbrowser, do
    > you?


    More than you EVER will. I also know they're irrelevant to the issue at
    hand because we have ZERO information about whether they'll even come into
    play.

    >
    >>> popping up, what exactly is the purpose of such a stupid thing except
    >>> giving a wonderful opportunity for phishing?

    >>
    >> Why would you assume that any nefarious motives exist?

    >
    > Because of a malicious third party?


    You really are a one trick pony, aren't you? Just can't seem to get that
    feeble mind to slip out of "evul haxor" gear, can you?

    >> The question was
    >> regarding end-to-end encryption and distributed content. And more
    >> importantly perfect forward security, which SSL never has and never will
    >> provide.

    >
    > There is no need for forwarding, transfering session data


    You're flailing around, fucking CLUELESS. Please invest a little time in
    educating yourself as to what 'forward security' means before embarrassing
    yourself any more.
     
    TwistyCreek, May 6, 2006
    #18
  19. TwistyCreek wrote:

    > More than you EVER will. I also know they're irrelevant to the issue at
    > hand because we have ZERO information about whether they'll even come into
    > play.


    May you pleas re-read the original question? He wanted to use frames on
    a SSL website to embed third-party content. And you suggested that even
    unencrypted content would be OK?

    >>>> popping up, what exactly is the purpose of such a stupid thing except
    >>>> giving a wonderful opportunity for phishing?
    >>> Why would you assume that any nefarious motives exist?

    >> Because of a malicious third party?

    >
    > You really are a one trick pony, aren't you? Just can't seem to get that
    > feeble mind to slip out of "evul haxor" gear, can you?


    Hm... what exactly is SSL supposed to protect against? Maybe a malicious
    third party?

    >>> The question was
    >>> regarding end-to-end encryption and distributed content. And more
    >>> importantly perfect forward security, which SSL never has and never will
    >>> provide.

    >> There is no need for forwarding, transfering session data

    >
    > You're flailing around, fucking CLUELESS. Please invest a little time in
    > educating yourself as to what 'forward security' means before embarrassing
    > yourself any more.


    I know exactly what it means and among trusted third parties the problem
    can be easily avoided by inter-server data transfer. And for non-trusted
    third parties or insecure forwarding it's obsolete.

    BTW, could YOU please educate yourself about clean and RFC-conformant
    postings? Your From-Address is obviously invalid, the
    admin^at^twistycreek^dot^com is absolutely useless as everyday spammer's
    filter would transform it to anyway, and I can't
    see anything good in attaching 10 empty lines at the end of your posting.
     
    Sebastian Gottschalk, May 6, 2006
    #19
  20. Jim Watt

    TwistyCreek Guest

    Sebastian Gottschalk wrote:

    > DRosen wrote:
    >> TwistyCreek wrote:
    >>
    >>> Why would you assume that any nefarious motives exist? The question was
    >>> regarding end-to-end encryption and distributed content. And more
    >>> importantly perfect forward security, which SSL never has and never
    >>> will provide.

    >>
    >> Mostly correct. SSL provides little forward security, but the browser
    >> attempts to simulate it. A double edge sword that can both be useful,
    >> and exploited by a resourceful attacker.

    >
    > This is not about forward security, because the attacker can simply do his
    > own forwarding, exploiting the trusted context.


    Oh for ****'s sake! That's what FORWARD SECURITY means, and why SSL
    doesn't provide any you nitwit. It's why SSL may not be able to DO what
    the OP wants at all.

    Jesus fucking CHRIST it's astounding. The number of people who claim to be
    "experts" in Usenet news groups but don't even comprehend the basic
    meanings of the simple concepts they're pretending to know something
    about is absolutely incredible.
     
    TwistyCreek, May 6, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. PPTP or SSL based VPN?

    , Jan 8, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    4,282
    S. Pidgorny
    Jan 9, 2005
  2. Olivier PELERIN

    SSL with backend SSL on CSS 11500

    Olivier PELERIN, Aug 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,925
    Olivier PELERIN
    Aug 30, 2004
  3. Il Padrino

    SSL , PCKS12 and Microsoft (Plus a CSR question)

    Il Padrino, Jan 12, 2005, in forum: Computer Security
    Replies:
    0
    Views:
    1,206
    Il Padrino
    Jan 12, 2005
  4. jenny
    Replies:
    0
    Views:
    976
    jenny
    Nov 30, 2006
  5. AntiSpamBloke

    Self signed SSL on N95 - Question

    AntiSpamBloke, Sep 16, 2007, in forum: UK VOIP
    Replies:
    2
    Views:
    452
    Desk Rabbit
    Sep 19, 2007
Loading...

Share This Page