SSL

Community Forums/General Help/SSL

Ked(Posted 2011) [#1]
I've been doing some reading on SSL and I'm not sure I understand it all that well. (I've read the Wikipedia page and a few others.) Does it basically--and in idiot terms--work like this?:

1. Open connection to https server.
2. Exchange credentials (keys, hellos, etc.)
3. Encrypt everything (headers, body, requests, gets, etc.)
4. Send encrypted.
5. Wait for reply from https server.
6. Receive encrypted.
7. Decrypt everything.

Everything stays encrypted throughout the entire transmission process? Any router logging output is unreadable and encrypted? Any third-parties (ISPs, attackers, etc.) see encrypted information?


degac(Posted 2011) [#2]
Basically it's correct: the connection is encrypted, so everything is send or received is crypted.
And as it is used by bank and other security agency since more than 10 years I suppose the system is quite secure.
Of course a key-logger program (or trojan or whatelse) installed on the client (or on the server) can intercept the user/password credentials and make useless the SSL connection.
I'm not sure at 100% but browser should not keep information about SSL session on cache or ram.

ps: an encrypted information *could* be decrypted with time and computer raw power; longer is the key, longer is the time required, but a 'total secure system' is not of this world (maybe with quantomechanics....)


ima747(Posted 2011) [#3]
To re-state and possibly simplify: SSL is used to encrypt transmission of data. The end result is the data between point A (say the server) and B (say the client) is encrypted and by extension "secured". This has nothing to do with storage, display or input on either end. Full stop.

To expand that: the data being sent is secure, but who sees it on either end (key logger, someone monitoring system activity, where the data is stored or cached, etc.) is always up in the air. A standards compliant web browser shouldn't store or cache any data when it knows it's using an SSL connection, as this is common sense, but there's no guarantee of that. And anything you can see on your screen is also sitting somewhere in RAM...

So, as long as your client and server devices can be trusted, and you use an SSL encrypted channel between the two, you data is in practice secured. But break any link in the chain and all bets are off (see sony's recent breach, clients are secured, data is encrypted when sent, sony stored it all in mostly plain text in a biiiiig database... steal the database and nothing else matters.)