SSL (Secure Sockets Layer) and/or TLS (Transport Layer Security)
165
votes
3answers
43k views
How does SSL work?
How does SSL work? I just realised we don't actually have a definitive answer here, and it's something worth covering.
I'd like to see details in terms of:
A high level description of the protocol.
...
147
votes
3answers
32k views
CRIME - How to beat the BEAST successor?
With the advent of CRIME, BEASTs successor, what is possible protection is available for an individual and / or system owner in order to protect themselves and their users against this new attack on ...
126
votes
9answers
8k views
How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?
I've often heard it said that if you're logging in to a website - a bank, GMail, whatever - via HTTPS, that the information you transmit is safe from snooping by 3rd parties. I've always been a little ...
82
votes
8answers
4k views
Attacking an office printer?
I did an nmap scan on an advanced office printer that has a domain name and is accessible from outside the corporate network. Surprisingly I found many open ports like http:80, https:443, and ...
53
votes
12answers
3k views
Does an established ssl connection mean a line is really secure
From the view of somebody offering a webapplication. When somebody connects with SSL (https) to our service and submits the correct authentication data, is it safe to transmit all sensitive data over ...
42
votes
3answers
15k views
What's the difference between SSL, TLS, and HTTPS?
I get confused with the terms in this area. What is SSL, TLS, and HTTPS? What are the differences between them?
41
votes
10answers
2k views
Why do we not trust an SSL certificate that expired recently?
Every SSL certificate has an expiration date. Now suppose some site's certificate expired an hour ago or a day ago. All the software by default will either just refuse to connect to the site or issue ...
38
votes
11answers
4k views
What are the pros and cons of site wide SSL (https)?
What are the pros and cons of encrypting all HTTP traffic for the whole site through SSL, as opposed to SSL on just the login page?
34
votes
7answers
8k views
Is BASIC-Auth secure if done over HTTPS?
I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used.
Can this be considered secure?
33
votes
4answers
5k views
Is posting from HTTP to HTTPS a bad practice?
Working on the assumption that SSL serves both to encrypt data and to provide assurance as to the identity and legitimacy of the website, should the practice of providing a logon form on a page ...
31
votes
3answers
3k views
Are all SSL Certificates equal?
After running a few tests from Qualsys' SSL Labs tool, I saw that there were quite significant rating differences between a GoDaddy and VeriSign certificate that I have tested against.
Are all SSL ...
27
votes
4answers
905 views
What is the impetus for major sites being HTTPS-exclusive now?
I've noticed that there are a good number of sites (Google, Twitter, Wikipedia) that are serving up every page over HTTPS.
I can understand given that everyone is concerned over privacy now, but has ...
27
votes
4answers
13k views
What is the difference between an x.509 “client certificate” and a normal SSL certificate?
I am setting up a web service through which my company will talk to a number of business customers' services. We will be exchanging information using SOAP. I would like to handle authentication with ...
25
votes
9answers
3k views
Is visiting HTTPS websites on a public hotspot secure?
It's often said that HTTPS SSL/TLS connections are encrypted and said to be secure because the communication between the server and me is encrypted (also provides server authentication) so if someone ...
23
votes
2answers
13k views
What is the difference between SSL vs SSH? Which is more secure?
What is the difference between SSH and SSL? Which one is more secure, if you can compare them together?
Which has more potential vulnerabilities?
23
votes
9answers
1k views
Is there any technical security reason not to buy the cheapest SSL certificate you can find?
While shopping for a basic SSL cert for my blog, I found that many of the more well known Certificat Authorities have an entry-level certificate (with less stringent validation of the purchaser's ...
23
votes
3answers
1k views
Why was the BEAST attack previously considered implausible?
Can someone explain why the BEAST attack wasn't considered plausible? I saw an article quoting the creator as saying 'It is worth noting that the vulnerability that BEAST exploits has been presented ...
22
votes
5answers
1k views
Why is HTTPS not the default protocol?
Why is HTTP still commonly used, instead what I would believe much more secure HTTPS?
22
votes
2answers
3k views
I just send username and password over https. Is this ok?
When a user's logging in to my site, they send their username and password to me over https. Besides the ssl, there's no special obfuscation of the password - it lives in memory in the browser in the ...
20
votes
8answers
2k views
Is anybody using client browser certificates?
Client browser certificates seem to be a nice way to protect sites from intruders - it is impossible to guess and should be harder to steal. Of course, they do not solve all the problems, but they add ...
20
votes
7answers
3k views
Where to get an SSL certificate for personal website?
I would like to use https to login to my personal webpage (which is on shared hosting). So I went over to google and started searching for sollutions. Eventualy I found out that I need an SSL ...
20
votes
7answers
963 views
Should I change the private key when renewing a certificate?
My security department insists that I (the system administrator) make a new private key when I want a SSL certificate renewed for our web servers. They claim it's best practice, but my googling ...
20
votes
3answers
2k views
How does Convergence (CA replacement) prevent its notaries from being MITM'd as well?
I have been looking into Convergence and how it works, but I cant figure out how it is effective against a MITM attack that happens near the target system. My understanding is that Convergence works ...
20
votes
7answers
2k views
Does it matter which Certificate Authority I source my SSL Certificate from?
To secure my web site with HTTPS, does it matter which company I source my SSL certificate from, or just that the browser recognizes it?
From the Area51 proposal.
19
votes
11answers
2k views
How feasible is it for a CA to be hacked? Which default trusted root certificates should I remove?
This question has been revised & clarified significantly since the original version.
If we look at each trusted certificate in my Trusted Root store, how much should I trust them?
What factors ...
19
votes
5answers
978 views
Is it alright to tell everyone your encryption information?
I have an account in an online banking system and they have the FAQ with something like this:
How secure is the <Online Banking System Name>?
Each page you view and any information ...
19
votes
2answers
2k views
Why is it possible to sniff an HTTPS / SSL request?
I'm new to the realm of HTTP requests and security and all that good stuff, but from what I've read, if you want your requests and responses encrypted, use HTTPS and SSL, and you'll be good. Someone ...
19
votes
3answers
587 views
What is an SSL certificate intended to prove, and how does it do it?
If I get an SSL certificate from a well-known provider, what does that prove about my site and how?
Here's what I know:
Assume Alice and Bob both have public and private keys
If Alice encrypts ...
18
votes
8answers
7k views
Can my company see what HTTPS sites I went to?
At work my company uses internet monitoring software (websense). I know if I visit a https ssl-encrypted site (such as https://secure.logmein.com) they can't see what I'm doing on the site since all ...
18
votes
4answers
1k views
Manually adding 's' to 'http'
I did a Wireshark capture of my login into a drupal-based website. The website does not use https. And so, quite obviously, I was able to capture my username and password in plain text by simply ...
18
votes
3answers
7k views
What steps do Gmail, Yahoo! Mail, and Hotmail take to prevent eavesdropping on email?
I would like to ask what happens when an email is sent from gmail, yahoo or hotmail public web email services?
I don't understand email protocols in details, but as far as I know email traffic is ...
18
votes
4answers
1k views
Why aren't application downloads routinely done over HTTPS?
We all know we should be using SSL whenever we collect passwords or other sensitive information. SSL provides two main benefits:
Encryption: The data can't be read by a middle-man while in transit.
...
18
votes
5answers
4k views
Trying to make a Django-based site use HTTPS-only, not sure if it's secure?
The EFF recommends using HTTPS everywhere on your site, and I'm sure this site would agree. When I asked a question about using Django to implement HTTPS on my login page, that was certainly the ...
16
votes
9answers
571 views
Does hashing a file from an unsigned website give a false sense of security?
Consider this. Many websites with software downloads also make available MD5 or SHA1 hashes, for users to verify the integrity of the downloaded files. However, few of these sites actually use HTTPS ...
16
votes
5answers
7k views
Are there security issues with embedding an HTTPS iframe on an HTTP page?
I've seen websites placing HTTPS iframes on HTTP pages.
Are there any security concerns with this? Is it secure to transmit private information like credit card details in such a scheme (where the ...
15
votes
2answers
482 views
Are URLs viewed during HTTPS transactions to one or more websites from a single IP distinguishable?
For example, say the following are HTTPS URLs to two websites by one IP over 5 mins:
"A.com/1", "A.com/2", "A.com/3", "B.com/1", "B.com/2".
Would monitoring of packets reveal:
nothing,
reveal only ...
15
votes
4answers
521 views
What is the potential impact of these SSL certificate validation vulnerabilities?
I just finished reading through this paper by Georgiev et al, which demonstrates a wide range of serious security flaws in SSL certificate validation in various non-browser software, libraries and ...
15
votes
4answers
728 views
ESET warns: Skype attempting to communicate with unknown remote computer
I am frequently getting warnings from my ESET firewall, like that pictured below, that Skype is attempting to communicate over SSL with a remote computer that has an untrusted certificate:
The ...
15
votes
1answer
470 views
TLS: RC4 or not RC4?
I was reading another interesting article by Matthew Green today, saying that
if you're using RC4 as your primary ciphersuite in SSL/TLS, now would be a great time to stop
As far as I'm aware ...
15
votes
3answers
573 views
What are the risks of using a CDN to speed up my website? How do I avoid them?
Content Delivery Networks (CDNs) are well known to speed up the performance of a website, but they create the obvious security risks if someone were to change the code that resides on the CDN.
What ...
14
votes
5answers
3k views
SSL with GET and POST
I'm pretty new to security, so forgive my basic question, but does SSL encrypt POST requests but not GET requests?
For instance, if I have two requests
GET:
...
14
votes
4answers
724 views
What to transfer? Password or its hash?
Let's say in my database I store passwords hashed with salt with a fairly expensive hash (scrypt, 1000 rounds of SHA2, whatever).
Upon login, what should I transfer over the network and why? Password ...
14
votes
2answers
7k views
How can I check that my cookies are only sent over encrypted https and not http?
I read a blog post GitHub moves to SSL, but remains Firesheepable that claimed that cookies can be sent unencrypted over http even if the site is only using https. They write that a cookie should be ...
14
votes
3answers
3k views
Convergence - an SSL replacement?
Today, Moxie Marlinspike, a security researcher famous for his research on Android and SSL and related protocols (author of sslstrip/sslsniff), released "Convergence" which says is "an agile ...
14
votes
3answers
784 views
What's an easy way to perform a man-in-the-middle attack on SSL?
I'd like to perform a man-in-the-middle attack on SSL connections between clients and a server.
Assuming the following:
I've got a certificate that the client will accept, via poor cert validation ...
13
votes
4answers
1k views
Why does Facebook serve several SSL certificates?
Facebook seems to be alternately serving two SSL certificates, one from DigiCert and one from VeriSign. There are only two reasons for this that I can think of:
They're in the middle of a ...
13
votes
4answers
916 views
Is my Company Tracking Me?
Every time I try to connect to a site through HTTPS from my office computer, there is a Certificate Error thrown 2-3 times before showing the login screen. Till now I use to ignore this and click ...
13
votes
5answers
1k views
What can I do about TLS 1.0 javascript injection vulnerability on my server?
The recent article featured on slashdot http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ says that connections secured with TLS 1.0 are susceptible to man-in-the-middle decryption ...
13
votes
5answers
341 views
What is the best option for setting up a several sites supporting SSL on the same IP?
If multiple hostnames are hosted on the same IP, it's not straight forward to allow them to support https. What are the best options in terms of browser support and/or web server support?
13
votes
4answers
896 views
How to detect “forged” SSL certificates from the webserver end
The company I work for sometimes intercepts employees ssl connections to https websites by making the ssl connection on their behalf from a proxy, and then using the own generated certificate to send ...
