All geek questions in one place

How much data leaked from the SSL connection?

Say that I was trying to access https://www.secretplace.com/really/really/secret.php , what was really sent in plain text before the SSL session was established?

Is there any browser intervention, see that I want to https, initiate an SSL session with secretplace.com (i.e. without passing the path in plain text), and only after the SSL session is configured, go through the path?

Just curious.

+4
source share
3 answers

HTTP Secure

The level of protection depends on the correct implementation of the web browser and server software, as well as on cryptographic algorithms.

In addition, HTTPS is vulnerable when applied to publicly available static content. The entire site can be indexed using a web crawler, and the URI of the encrypted resource can be determined by knowing only the intercepted request / response size. This allows an attacker to access plaintext (publicly available static content) and encrypted text (an encrypted version of static content) that allows a cryptographic attack.

Since SSL works under HTTP and does not know higher level protocols, SSL servers can only strictly represent one certificate for a specific combination of IP / ports. This means that in most cases it is not practical to use name-based virtual hosting with HTTPS. There is a solution called Server Name Indication (SNI) that sends the host name to the server before encrypting the connection, although many older browsers do not support this extension. SNI support is available with Firefox 2, Opera 8, and Internet Explorer 7 in Windows Vista.

+5
source

In general, the name of the server you're talking to has leaked ("stackoverflow.com"). This probably happened via DNS before SSL / TLS could start the connection.

Server certificate leaked. Any client certificate that you sent (not a general configuration) may or may not be sent for clarity. An active attacker (man-in-the-middle) might just ask for your browser and get it anyway.

Part of the URL path ("/ questions / 2146863 / how-much-data-is -aked-from-ssl-connection") should NOT be skipped. It is transmitted encrypted and secure (provided that the client and server are configured correctly and you have not missed any certificate errors).

Another poster is true that traffic attacks are possible that can bring out some things about static content. If the site is very large and dynamic (say, stackoverflow.com), I suspect that it can be quite difficult to get a lot of useful information from it. However, if there are only a few files with distinctive sizes, the download of which may be obvious.

POST form data must NOT be skipped. Although the usual warnings apply if you pass objects of known sizes.

Temporary attacks may reveal some information. For example, an attacker can strike at various parts of the application (for example, a specific database table) or preload some static files from disk and see how your connection slows down or speeds up in response.

This is leak information, but probably not a big deal for most sites.

+5
source

The request was made by your browser at https: // url: 443 , and this is clear. The server and client will then discuss ciphersuite for data protection. Typically, this will include a symmetric encryption algorithm (e.g. 3DES or RC4 or AES) and a message authentication code (e.g. HMAC-SHA1) to detect unauthorized access. Please note that technically both of these parameters are optional, it is possible that SSL does not have encryption, but hardly today.

Once the client (your browser) and the web server have agreed on encryption and keys, the rest of the conversation will be protected.

To be honest, I would hook up a protocol analyzer and watch how it all unfolds before your eyes.

Remember that SSL is located on the transport layer of the TCP / IP stack, it is lower than the browser data, therefore it is protected.

Hope this helps.

-2
source

Source: https://habr.com/ru/post/1299534/

More articles:


All Articles