HTTPs - secure?

Hello everyone,

I am a website designer but am trying hard to increase my awareness and knowledge of internet security related issues.

I wonder if you guys could help me first with a really simple question:

my understanding of HTTPS is that it is not enormously secure. If I understand its workings correctly, a private key is agreed on in plain text transmission before encrypted messages begin, meaning that if someone is snooping on packets between the client and the server, they can utilise this private key to crack the following encrypted messages. Is this incorrect? Have I completely misunderstood this?

Many thanks!

 

Yes you have misunderstood this, you cannot sniff out for these encrypted packets as the two hash's provide encryption either end of the communication.

However, there was a md5 scare with old ssl certs. Google it

 

Many thanks for that.

Richard

 

Wikipedia has a reasonable page on SSL (now called TLS everywhere but on websites) here: http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail and has a very good page on Asymmetric Cryptography (with diagrams and everything!) which explains how the client and the server can agree on an encryption key without ever sending the encryption key over the network. http://en.wikipedia.org/wiki/Public-key_cryptography

The SSL scare that SSANZ mentioned was to do with the random number generator on Debian being rather predictable for the last few years due to a single line of code being commented out. Basically, any SSL certificate (including root certificates) generated on a Debian system in the last few years is now not secure and should be regenerated. I think this includes the certificate request file as well as the actual certificate so if either you or your CA uses Debian then you may affected. I understand that most of the CAs that were affected offered to re-sign any certificates you bought from them for free with their new, secure root certificate.

Hmmm... actually, now that I think about it. That was a different (slightly older) issue with SSL certs. The MD5 issue was caused by a group of researchers who found a collisions with MD5-based certs. Since most CAs had already moved to SHA1-based certs it only affected a very small number of CAs and therefore a small number of certs. It never affected EV certs because those require SHA1 or better. Last thing I heard was that only a couple of CAs were holding out and still using MD5 and the security community was advising strongly against using those couple of CAs.

 

Hi frnds,

I just read your requirements. Security is the biggest issue in this world. You have to learn more about this security features. i am also trying to learn that from 3 years. i have learnt something not so vast. but it really works for me.
I have mada a blog where i am submiiting about any security features. Please visit my home page. This is fundamental where you can find your security related links.try this [ep6network] dot [blogspot] dot com


Thanks and Regards
Utsav Basu

 

generaly it's secure. There are only issues with incorrect use. Some pitfalls to avoid:

1. Do not provide both ssl and non-ssl versions of pages
2. Use HTTPS only cookies! Do not transmit login tokens and cookies in clear text because it's spelling trouble.
3. Make the entire site SSL not just the login page.


And of course this only prevents man in the middle attacks and some cases of cookie stealing. HTTPS will in no way solve other vulnerabilities in the code. Only a good programmer and a code audit will do that

 

A HTTPS connection can be sniffed by a man-in-the-middle attack, but for them a manipulation of the DNS Cache, or an entry in the hosts file, of the Client-PC is needed...