

How does SSL work? - gozzoo
http://security.stackexchange.com/questions/20803/how-does-ssl-work

======
lucb1e
Writer of the top answer here. I haven't looked at the post in a while, it
might be that the answer is slightly outdated. BREACH has been released after
writing the answer and RC4 hasn't gotten anymore secure, but besides that I
don't think it misses that much. Let me know or do suggested edits if there is
anything you think should be added!

~~~
valarauca1
One could argue RC4 could have gotten more insecure. 2013 saw a theoretical
attack that would yield the RC4 key within real connection time frames.

------
Spittie
This is another awesome article on the topic:
[http://www.moserware.com/2009/06/first-few-milliseconds-
of-h...](http://www.moserware.com/2009/06/first-few-milliseconds-of-
https.html)

More on the "technical" side (and it's a bit old), but it's still totally
worth a read.

------
72deluxe
Sorry to post this but why not read up at
[http://en.wikipedia.org/wiki/Transport_Layer_Security#Protoc...](http://en.wikipedia.org/wiki/Transport_Layer_Security#Protocol_details)
?

~~~
chc
Wikipedia articles tend to be written in a rather impenetrable style† that
take a lot longer to convey the answer to a basic question like this than a
good Stack Exchange answer would.

† Often they alternate between being completely cryptic until you have read 14
other articles and going into full-on infovomit mode.

------
mschuster91
Side question: what about an active MITM attack which changes the ciphersuite
preferences?

So e.g. if I know as an attacker of a weakness in scheme X (which is
advertised by both server and client), but server and client would prefer
scheme Y, then I'd just have to manipulate the initial handshake to include
only scheme X, right?

~~~
Nursie
>> Side question: what about an active MITM attack which changes the
ciphersuite preferences?

Part of the protocol involves exchanging checksums of all data passed between
the server and client. Can't remember off the top of my head exactly when this
takes place, but effectively the whole handshake process is fed into a hash
algorithm and if they don't match then the connection won't be established.
The hash itself will be protected from MITM by some sort of signing/MAC.

~~~
mnordhoff
It happens during the Finished messages. The OP covers the handshake about
halfway down, and 72deluxe's Wikipedia link covers it nicely, too:

[https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_h...](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake)

In TLS 1.0 and 1.1, the Finished message is protected by HMAC-MD5 and HMAC-
SHA1. (RFC 2246, sections 5 and 7.4.9.) (By the way, while there are attacks
against MD5 and SHA-1, there are no known attacks against HMAC-MD5 or HMAC-
SHA1. Don't freak out.)

TLS 1.1 is the same as TLS 1.0. (RFC 4346, sections 5 and 7.4.9.)

For TLS 1.2, I am uncertain which algorithm is used. See RFC 5246, sections 5
and 7.4.9. It's either HMAC-SHA256 or the MAC defined by the chosen cipher
suite, which would currently be one of HMAC-MD5, HMAC-SHA1, HMAC-SHA256 or
HMAC-SHA384. (As long as your weakest cipher suite's MAC can't be broken in
half a second, this doesn't help an attacker.)

Edit: Staring at RFC 5246 a bit longer, I am almost certain that TLS 1.2 will
always use HMAC-SHA256. Future cipher suites may define a different algorithm,
but no such cipher suites yet exist.

(Edits: This post was basically written one sentence at a time in a dozen
different edits.)

~~~
Nursie
>> In TLS 1.0 and 1.1, the Finished message is protected by HMAC-MD5 and HMAC-
SHA1. (RFC 2246, sections 5 and 7.4.9.) (By the way, while there are attacks
against MD5 and SHA-1, there are no known attacks against HMAC-MD5 or HMAC-
SHA1. Don't freak out.)

Yeah, been reading up on HMAC lately. I had to implement a MAC algorithm due
to a weird failing by an embedded platform vendor. HMAC(sha256) was it, until
at the last minute we switched out for iso9797 algorithm 3, pad 3* because a
second vendor we have to work with couldn't support 32 byte keys. It's always
a bit sad to write beautiful code and then discard it again within days...

(*why yes, it is a retail application)

------
jokoon
I remember using gmail and having a mixed warning (telling me it would use
both http and https). It doesn't anymore.

------
slashdotaccount
Will it make my client more unique (so identifiable) for a third-party passive
attacker (who can sniff traffic) if I tune my browser's settings for example
to support only TLS 1.2 and by removing all the RC4 encryption methods?

------
numbers
I like posts like these, there was one on REST that explained it pretty well
too.

I would like to see if there's more folks have found which are somewhat high
level but are thorough as well like this post.

------
PinguTS
People who can't read Wikipedia ask questions on Stackexchange.

I always assumed, if you are on Stackexchange you have at least some knowledge
and also be competent enough to look for information yourself in the first
place.

~~~
alexkus
> People who can't read Wikipedia ask questions on Stackexchange.

Not saying this is an example of this behaviour but there are also groups of
people kudos whoring on SE/SO by shill posting questions and then providing
very thorough/researched answers shortly afterwards from their real
account(s).

~~~
grkvlt
Why would you need to do this (use 'shill' accounts, that is) and why would
you care? You are allowed (encouraged, even) to answer your own questions on
these sites - [http://blog.stackoverflow.com/2011/07/its-ok-to-ask-and-
answ...](http://blog.stackoverflow.com/2011/07/its-ok-to-ask-and-answer-your-
own-questions/)

~~~
berdario
You cannot do that right away unless you have enough reputation (I've been
bitten by it, and it's terribly frustrating)

btw, I agree that such behavior is actually positive: more thoroughly
researched answers are a plus, not a downside

------
dclara
Awesome information. It looks easier to digest than Wiki:

[http://en.wikipedia.org/wiki/Secure_Sockets_Layer](http://en.wikipedia.org/wiki/Secure_Sockets_Layer)

I've got hands-on experience 10 years ago, I thoroughly understand how SSL
handshaking is working. But it's still not enough, especially with the latest
upgrades and attacks.

I'll save it somewhere. BTW, where do you guys save the important information?
Or just let it passed? Can never remember enough detail about it. And next
time when I need it, it's hard to find any more.

Let's save it. [http://kck.st/JNqv8z](http://kck.st/JNqv8z)

~~~
ksrm
Oh my god, give it a rest, man!

[https://news.ycombinator.com/submitted?id=dclara](https://news.ycombinator.com/submitted?id=dclara)

~~~
dclara
Thank you for showing the list, which is part of the marketing campaign I'm
running on both Kickstarter and Hacker News. Since those posts are not on the
first page, they disappeared quickly, and I'm afraid that not many people have
visited.

Is there anything wrong with it? Do you mean I cannot or should not post the
series of blog posts here for people to visit?

Instead, I'd like to hear from you how you like it or why you hate it.

You may check out if I only commented on my own project from all my comments:

[https://news.ycombinator.com/threads?id=dclara](https://news.ycombinator.com/threads?id=dclara)

