Page 1 of 1
"secure" communications nowadays. Help?
Posted: Sun Feb 14, 2016 8:49 pm
by coulonnus
I mean 1: websites beginning with https 2: IMAP and SMTP servers using the SSL protocol for mail clients 3: The SSH Secure Shell Client to log on a remote workstation and obtain a command prompt window.
Each connection I do is undoubtedly crypted when it is not the first time, but at the very first time I connected to each server, there was a certificate exchange. Then hasn't whoever spied this first connection enough material to decrypt the subsequent connections? Can anybody explain?
Re: "secure" communications nowadays. Help?
Posted: Sun Feb 14, 2016 9:28 pm
by Choralia
Asymmetric keys are the trick.
This is the Wikipedia article on the subject.
In summary, at the beginning of a communication session each party sends to the other party its own public key. Public keys can be publicly distributed, as there is nothing secret inside them. The real secret is in the private key, which is the only thing allowing to decrypt a message encrypted with the corresponding public key. Once the two parties have established a secure communication channel by exchanging their public keys, they can use the channel to exchange symmetrical keys, which are much less computationally intensive.
Max
Re: "secure" communications nowadays. Help?
Posted: Mon Feb 15, 2016 7:36 am
by coulonnus
Thanks. With some https sites my browser complains: problem: the certificate was issued for another address. Someone may intercept what you are typing etc.
Is there a lack of competance by the site administrator?
Re: "secure" communications nowadays. Help?
Posted: Mon Feb 15, 2016 3:13 pm
by noqu
Is there a lack of competance by the site administrator?
Essentially, yes (although it is not always easy for administrators to get these things right). But you should always be suspicious if these browser warnings occur.
Technically, the problem lies in the initial exchange of public keys as Choralia described. In order for things to be safe, you need to trust that the public key you receive is really the server's public key (and does not belong to a "man-in-the-middle" eavesdropper). For that purpose, servers have their public keys "signed" by a trusted authority - the result is called a "certificate". In the case you describe, the certificate was apparently issued for a different hostname and is thus not valid. This may be as simple as the certificate being issued for "production.acme.com" and you currently being redirected to "backup.acme.com" because of a technical glitch, but it might also indicate something really fishy.
Re: "secure" communications nowadays. Help?
Posted: Mon Feb 15, 2016 7:20 pm
by coulonnus
noqu wrote: For that purpose, servers have their public keys "signed" by a trusted authority - the result is called a "certificate".
Thanks too. Do servers have to pay something for this service? Is this trusted authority something governemental?
Re: "secure" communications nowadays. Help?
Posted: Tue Feb 16, 2016 5:48 pm
by noqu
Do servers have to pay something for this service?
That basically depends on the quality of the certificate.
On the low end, there are some free certificate authorities that essentially only verify "control over the server", i.e. if you can demonstrate that you can answer mails to "
webmaster@acme.com" or place a test file at "
http://acme.com/testfile", you are entitled to such a certificate for "acme.com"
On the high end, rather expensive certification authorities perform a whole background check that would typically involve a lot of documents and maybe a personal interview with the board members of "acme.com". This is what an online bank would typically need. Many browsers indicate the certificate level somehow, e.g. Mozilla colors the URL in green for the highest level.
Is this trusted authority something governemental?
No, certification authorities are commercial companies. The decision which of them are to be trusted is made by an (unfortunately rather intransparent) consortium of all major browser companies. Each browser carries (at its installation) a number of "root certificates". These identify the trusted certification authorities. Nowadays these are quite a lot, not all of them are equally well known, and there is quite a bit of discussion whether that is not a problem somehow...
Re: "secure" communications nowadays. Help?
Posted: Fri Aug 25, 2017 7:07 am
by coulonnus
coulonnus wrote:Thanks. With some https sites my browser complains: problem: the certificate was issued for another address [...]
On a given computer one browser complains, the other does not. On another computer both browsers does not complain. Do browsers fetch the list of CA they trust somewhere on the net or is it somewhere on my computer?
Re: "secure" communications nowadays. Help?
Posted: Fri Aug 25, 2017 2:43 pm
by noqu
On a given computer one browser complains, the other does not.
I assume this is not the "certificate was issued for another address" complaint, because all browsers should treat his equally as a failure, unless one of them is (mis-)configured to ignore it.
Do browsers fetch the list of CA they trust somewhere on the net or is it somewhere on my computer?
It typically comes with the installation/update of the browser. Not all browsers treat all CAs equally - there have been quite a few disputes recently about misbehaving CAs, resulting in some browsers removing them, others not (google 'wosign startcom' to read about it).
Re: "secure" communications nowadays. Help?
Posted: Fri Aug 25, 2017 4:09 pm
by coulonnus
noqu wrote:I assume this is not the "certificate was issued for another address" complaint, because all browsers should treat his equally as a failure, unless one of them is (mis-)configured to ignore it.
Yes. The message is - forgive my English translation - The certificate provided by this site was not provided by an approved CA. There is a risk ... we recommend etc.
Re: "secure" communications nowadays. Help?
Posted: Fri Aug 25, 2017 7:26 pm
by Choralia
coulonnus wrote:On a given computer one browser complains, the other does not.
Browsers may offer the option to add a security exception, so that the security warning is not displayed any longer for that website. This might be the reason of the different behavio(u)r, if you added the security exception on one computer and not on the other computer.
You may try to check the exceptions list and remove the specific exception you added. The procedure depends on the browser.
This is a good reference for Firefox.
Max