Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] RE: More info on SSL/TLS

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] RE: More info on SSL/TLS


Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] RE: More info on SSL/TLS
  • Date: Thu, 12 Sep 2013 19:04:13 +0000
  • Accept-language: en-US

Sorry, I should have been more specific that the research paper that is referred to by the article has a fairly detailed analysis of the TLS protocol and mentions the SHA1 and MD5  HMAC for digital signature during the TLS handshake protocol.

 

I think it is pretty clear that some random / secret key information is being exchanged and that a digital signature is generated by the server on that information and confirmed by the client, so therefore that’s why the SSL3.0/TLS 1.0 protocols won’t meet NIST after 2013.  The key point here about the digital signature is that it is being “GENERATED”.  That might not be news to everyone, but it clears up that just getting a new server SSL certificate with a 2013 date may not be enough.

 

http://www.sans.org/reading-room/whitepapers/authentication/ssl-tls-whats-hood-34297

 

http://crypto.stackexchange.com/questions/6431/digital-signatures-in-ssl-tls-like-protocols

 

Jeff

 

From: [mailto:] On Behalf Of Ron Thielen
Sent: Thursday, September 12, 2013 2:17 PM
To:
Subject: [AD-Assurance] RE: More info on SSL/TLS

 

Yes, or you could use something like Fiddler to capture and replay all HTTP(S) traffic.  However, the point of protected channels is to protect the data between the endpoints.  If the threat agent has inordinate access to either endpoint, then it’s game over anyway.  It’s about the channel, not the termination points. 

 

If you want more to worry about with regard to stupid things that can happen at endpoints, look at http://blog.elliottkember.com/chromes-insane-password-security-strategy

 

Ron

 

From: [] On Behalf Of Capehart,Jeffrey D
Sent: Thursday, September 12, 2013 1:06 PM
To:
Subject: [AD-Assurance] More info on SSL/TLS

 

I saw this on the SANS blog and Newsbites and thought it might be interesting reading since we have been talking about SSL and TLS.  Just in case you were wondering how hard it might be to decrypt your protected channel, this post goes into detail showing how easy it is to do.

-Jeff C.

 

https://isc.sans.edu/diary/Psst.+Your+Browser+Knows+All+Your+Secrets./16415

 

“I got to wondering one day how difficult it would be to find the crypto keys used by my browser and a web server for TLS sessions. I figured it would involve a memory dump, volatility, trial and error and maybe a little bit of luck. So I started looking around and like so many things in life….all you have to do is ask. Really. Just ask your browser to give you the secrets and it will! As icing on the cake, Wireshark will read in those secrets and decrypt the data for you. Here’s a quick rundown of the steps:”

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu

 


Archive powered by MHonArc 2.6.16.

Top of Page