Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.computer.security
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #31 (permalink)  
Old 11-03-2010, 01:02 PM
RayLopez99
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Nov 3, 1:54*pm, RayLopez99 <raylope...@gmail.com> wrote:
> On Nov 2, 2:29*pm, Jason Keats <jke...@melbpcDeleteThis.org.au> wrote:
>
> > RayLopez99 wrote:

>
> > > Please explain if it's possible for C to send to Z, then, if there's
> > > an intermediate SOAP server S, unknown to C (maybe not unknown, but
> > > perhaps unsuspected for a security risk) whether S can decrypt the
> > > message if C has typed in Z's URL.

>
> > The answer is still no!

>
> Why? *See my question to Unruh. Don't crap out now Jason, we are close
> to the finish line and you've come so far! *Future readers of this
> thread, and it's novel as I've not seen this topic elsewhere, will
> wonder what the answer is.
>
> RL
>
> keywords: *SSL does not work, SSL does not encrypt, *SSL is not safe,
> TLS does not work, TLS is not safe, TLS does not encrypt, message
> security not 100% not complete not guaranteed with SSL or TLS, people
> can read your messages with SSL certificate or TLS certificates.


Further, Microsoft says that S can decrypt the message. Why do they
say that? Is this a case where a "mashup" is involved, where C and/or
Z has given permission to S to decrypt? If so, that solves the
riddle. But if S can routinely decrypt, then it's a mystery.

RL

Reply With Quote
  #32 (permalink)  
Old 11-04-2010, 10:20 AM
unruh
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On 2010-11-03, RayLopez99 <raylopez88@gmail.com> wrote:
> On Nov 2, 12:03?pm, unruh <un...@wormhole.physics.ubc.ca> wrote:
>
>>
>> Your system contacts Z and asks for a public key. It then checks the
>> signing authority of that public key against the set of signing
>> authorities it has in its list. If it checks out, it then uses Z's
>> public key to encrypt a random symmentric key, and encrypts the message with
>> that symmetric key, and sends the encrypted symmetric key and the
>> encrypted message out.
>> Thus any S would need to know Z's private key, ?
>>
>> Now, if S could act as ?a man in the middle, and persuade ?your machine
>> that S's public key is really Z's public key, then of course S could
>> read your transmission. That is prevented by the "web of trust" -- the
>> fact that you trust the signing authority who stated that Z's key really
>> was Z's key. Of course if you do not have the signing authority's public
>> key in your system or S has persuaded you (or your distro) to put a bogus public key for
>> that signing authority into your system, the game is up.>O
>>
>> So no, without a lot of work, intermediate machines cannot read your SSL
>> stuff sent to Z, or you ignored the warning from your browser that it
>> did not know the signing authority for the key you are using.
>>

>
> Unruh--you are probably late to this thread. The issue here is not
> spoofing so much as the statement by others in this thread that S (the
> intermediary) *CAN* read your SSL stuff. How it does this is the
> question.


The statements are wrong.

>
> One proposal (and I have yet to see this explicitly): for SSL
> encrypted message routing to work, when involving intermediaries like
> SOAP servers (like S in our A to S to Z transmission of a SSL
> message), S the intermediary *must* be able to decrypt the message.


Nonesense. It just passes it on.

> It contacts the relevant endpoint, Z, gets permission to decrypt, and
> does decrypt. Then it routes the message using the headers


That would be a HUGE HUGE hole in SSL protocol. It might as well not
exist if that were true.

> (unencrypted). Before it transmits the message, S will of course


The headers are ALWAYS unencrypted. That is how the message gets from A
to B.

> encrypt it again, so while the message is in transit nobody can read
> it. But S itself can (and must) read the message for the transmission
> to work.


Bunnybeads.

>
> Can anybody confirm this? I've not seen this on the net, but it's a
> logical inference from what I have seen.
>
> RL


Reply With Quote
  #33 (permalink)  
Old 11-07-2010, 06:07 PM
RayLopez99
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Oct 29, 8:36*pm, "FromTheRafters" <erra...@nomail.afraid.org>
wrote:

> ***
> Yep, I learned that you are a stupid troll.
>
> Bye-bye
> ***


Here's
a reference for you to 'bone up' on, bonehead: (http://
msdn.microsoft.com/en-us/library/ms733137%28VS.90%29.aspx “End-to-end
security. A secure transport, such as Secure Sockets Layer (SSL)
works
only when the communication is point-to-point. If the message is
routed to one or more SOAP intermediaries before reaching the
ultimate
receiver, the message itself is not protected once an intermediary
reads it from the wire. "

EXPLAIN WHY MESSAGE IS NOT PROTECTED ONCE AN INTERMEDIARY SOAP IS
PRESENT, DOPE.

Ball is in your court. Cowardice and evasion noted.

RL

Reply With Quote
  #34 (permalink)  
Old 11-07-2010, 07:10 PM
unruh
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On 2010-11-07, RayLopez99 <raylopez88@gmail.com> wrote:
> On Oct 29, 8:36?pm, "FromTheRafters" <erra...@nomail.afraid.org>
> wrote:
>
>> ***
>> Yep, I learned that you are a stupid troll.
>>
>> Bye-bye
>> ***

>
> Here's
> a reference for you to 'bone up' on, bonehead: (http://
> msdn.microsoft.com/en-us/library/ms733137%28VS.90%29.aspx ?End-to-end
> security. A secure transport, such as Secure Sockets Layer (SSL)
> works
> only when the communication is point-to-point. If the message is
> routed to one or more SOAP intermediaries before reaching the
> ultimate
> receiver, the message itself is not protected once an intermediary
> reads it from the wire. "
>
> EXPLAIN WHY MESSAGE IS NOT PROTECTED ONCE AN INTERMEDIARY SOAP IS
> PRESENT, DOPE.
>
> Ball is in your court. Cowardice and evasion noted.


YOu are making the assumption that all people at microsoft.com know what
they are talking about. That assumption need not be a good one. That is
another possibility you seem to be avoiding.
Also, a SOAP is a machine which is supposed to make changes to a
document. In order to do so, it MUST be able toread and change the
document. Thus if you are using ssl, the link must be from the original
machine to the intermediary which must be able to decrypt the message.
THe original must therefor sent the message to the SAOP intermiary
encrypted with the intermediary's public key protocol.

That is how I read it.


>
> RL


Reply With Quote
  #35 (permalink)  
Old 11-07-2010, 10:56 PM
FromTheRafters
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

"unruh" <unruh@wormhole.physics.ubc.ca> wrote in message
news:slrnidducl.8ik.unruh@wormhole.physics.ubc.ca. ..
> On 2010-11-07, RayLopez99 <raylopez88@gmail.com> wrote:
>> On Oct 29, 8:36?pm, "FromTheRafters" <erra...@nomail.afraid.org>
>> wrote:
>>
>>> ***
>>> Yep, I learned that you are a stupid troll.
>>>
>>> Bye-bye
>>> ***

>>
>> Here's
>> a reference for you to 'bone up' on, bonehead: (http://
>> msdn.microsoft.com/en-us/library/ms733137%28VS.90%29.aspx ?End-to-end
>> security. A secure transport, such as Secure Sockets Layer (SSL)
>> works
>> only when the communication is point-to-point. If the message is
>> routed to one or more SOAP intermediaries before reaching the
>> ultimate
>> receiver, the message itself is not protected once an intermediary
>> reads it from the wire. "
>>
>> EXPLAIN WHY MESSAGE IS NOT PROTECTED ONCE AN INTERMEDIARY SOAP IS
>> PRESENT, DOPE.
>>
>> Ball is in your court. Cowardice and evasion noted.

>
> YOu are making the assumption that all people at microsoft.com know
> what
> they are talking about. That assumption need not be a good one. That
> is
> another possibility you seem to be avoiding.
> Also, a SOAP is a machine which is supposed to make changes to a
> document. In order to do so, it MUST be able toread and change the
> document. Thus if you are using ssl, the link must be from the
> original
> machine to the intermediary which must be able to decrypt the message.
> THe original must therefor sent the message to the SAOP intermiary
> encrypted with the intermediary's public key protocol.
>
> That is how I read it.


Yes, Transport Layer Security is like the two cans and a string in a
point-to-point communications link. You want to protect from anyone
tapping the string getting your data while still having the users
understand one another. It is about the *string* not about the cans
(diaphrams) or the ears. In this analogy, the TLS would sit between the
diaphrams and the strings and be transparent to the users. It is not
about what the users can and cannot do, it is about what someone tapping
the string would be able to do (nothing, because it is still encrypted
at that point).

If you want to keep your data secure from the people that you have
trusted with the session keys, you should encrypt the data itself before
sending it to the TLS.

I won't be responding to any further posts by this troll until he learns
not to crosspost. :o)

Though I am pleasantly surprised he included the security group this
time, he usually tries to pick groups where he has a chance to look
superior on a given subject even though he obviously lacks clue.




Reply With Quote
  #36 (permalink)  
Old 11-07-2010, 11:40 PM
RayLopez99
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Nov 7, 9:10*pm, unruh <un...@wormhole.physics.ubc.ca> wrote:

>
> YOu are making the assumption that all people at microsoft.com know what
> they are talking about. That assumption need not be a good one. That is
> another possibility you seem to be avoiding.


Good point. The passage is unclear--it implies that the SOAP
intermediary is an 'exception' to https being secure, akin to a Cross-
site scripting (XSS) attack. But in fact, if your interpretation is
correct, it's not really an exception.

> Also, a SOAP is a machine which is supposed to make changes to a
> document. In order to do so, it MUST be able toread and change the
> document. Thus if you are using ssl, the link must be from the original
> machine to the intermediary which must be able to decrypt the message.
> THe original must therefor sent the message to the SAOP intermiary
> encrypted with the intermediary's public key protocol.
>
> That is how I read it.


Very logical, and it works to explain the passage, except for the fact
it makes the passage trivial. If all Microsoft is saying (and not
just Microsoft--I've seen similar language in a book on WCF by
Resnick, an authority on WCF) is that 'when you send an SSL / TLS
secured message to a SOAP intermediary, since SSL / TLS is only good
for transport and not for the endpoints, don't forget that you must
decrypt the message at the SOAP intermediary', well, this is very
true, but trivial. How is that an exception to https being secure?
An exception like XSS attacks? I think there might be more going on
that nobody in this thread is aware of, but for the time being I guess
we have to settle for your answer.

Thanks for the reply.

RL

Reply With Quote
  #37 (permalink)  
Old 11-07-2010, 11:44 PM
RayLopez99
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Nov 8, 12:56*am, "FromTheRafters" <erra...@nomail.afraid.org>
wrote:
>
> Yes, Transport Layer Security is like the two cans and a string in a
> point-to-point communications link. You want to protect from anyone
> tapping the string getting your data while still having the users
> understand one another. It is about the *string* not about the cans
> (diaphrams) or the ears. In this analogy, the TLS would sit between the
> diaphrams and the strings and be transparent to the users. It is not
> about what the users can and cannot do, it is about what someone tapping
> the string would be able to do (nothing, because it is still encrypted
> at that point).
>
> If you want to keep your data secure from the people that you have
> trusted with the session keys, you should encrypt the data itself before
> sending it to the TLS.


That last part makes no sense, kind of like you in real life.

If you trust somebody with session keys, why would you want to keep
your data secure from them? Again, see my reply just now to unruh.

Either the passage is trivial (unruh's interpretation, and for now I
have to agree with him), or, there's more going on that none of us is
aware of. That's also a possibility, as I've seen this language in a
textbook. Unless the textbook author was merely parroting the unclear
language from Microsoft, which I guess is possible too.

RL

Reply With Quote
  #38 (permalink)  
Old 11-08-2010, 01:06 AM
Ari Silverstein
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Sun, 7 Nov 2010 15:44:43 -0800 (PST), RayLopez99 wrote:

> Either the passage is trivial (unruh's interpretation, and for now I
> have to agree with him), or, there's more going on that none of us is
> aware of.


Yeah, you're unaware, that's for ****ing sure. lol
--
Talk about F-Cars - www.ferrarichat.com/forum/member.php?u=89702

Reply With Quote
  #39 (permalink)  
Old 11-08-2010, 01:07 AM
FromTheRafters
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

"unruh" <unruh@wormhole.physics.ubc.ca> wrote in message
news:slrnidducl.8ik.unruh@wormhole.physics.ubc.ca. ..
> On 2010-11-07, RayLopez99 <raylopez88@gmail.com> wrote:
>> On Oct 29, 8:36?pm, "FromTheRafters" <erra...@nomail.afraid.org>
>> wrote:
>>
>>> ***
>>> Yep, I learned that you are a stupid troll.
>>>
>>> Bye-bye
>>> ***

>>
>> Here's
>> a reference for you to 'bone up' on, bonehead: (http://
>> msdn.microsoft.com/en-us/library/ms733137%28VS.90%29.aspx ?End-to-end
>> security. A secure transport, such as Secure Sockets Layer (SSL)
>> works
>> only when the communication is point-to-point. If the message is
>> routed to one or more SOAP intermediaries before reaching the
>> ultimate
>> receiver, the message itself is not protected once an intermediary
>> reads it from the wire. "
>>
>> EXPLAIN WHY MESSAGE IS NOT PROTECTED ONCE AN INTERMEDIARY SOAP IS
>> PRESENT, DOPE.
>>
>> Ball is in your court. Cowardice and evasion noted.

>
> YOu are making the assumption that all people at microsoft.com know what
> they are talking about. That assumption need not be a good one. That is
> another possibility you seem to be avoiding.


They seemed to me to be trying to make the point that it is the *session*
that is encrypted and how that subtle difference is manifested when someone
tries to implement *it* instead of using file encryption (end-to-end as
opposed to point-to-point).



Reply With Quote
  #40 (permalink)  
Old 11-08-2010, 08:46 PM
Registered User
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Sun, 7 Nov 2010 15:44:43 -0800 (PST), RayLopez99
<raylopez88@gmail.com> wrote:

>On Nov 8, 12:56*am, "FromTheRafters" <erra...@nomail.afraid.org>
>wrote:
>>
>> Yes, Transport Layer Security is like the two cans and a string in a
>> point-to-point communications link. You want to protect from anyone
>> tapping the string getting your data while still having the users
>> understand one another. It is about the *string* not about the cans
>> (diaphrams) or the ears. In this analogy, the TLS would sit between the
>> diaphrams and the strings and be transparent to the users. It is not
>> about what the users can and cannot do, it is about what someone tapping
>> the string would be able to do (nothing, because it is still encrypted
>> at that point).
>>
>> If you want to keep your data secure from the people that you have
>> trusted with the session keys, you should encrypt the data itself before
>> sending it to the TLS.

>
>That last part makes no sense, kind of like you in real life.
>

It makes absolute sense! Intermediate tiers need to decrypt the
envelope. If the letter does not have additional encryption its
contents will be decrypted when the envelope is encrypted.

If the letter is encrypted before it goes in the envelope, the letter
will remain encrypted when an intermediate tier decrypts the envelope.

>If you trust somebody with session keys, why would you want to keep
>your data secure from them? Again, see my reply just now to unruh.
>

You are confusing authentication and authorization. Reading about
roles and memberships may provide some insights.

>Either the passage is trivial (unruh's interpretation, and for now I
>have to agree with him), or, there's more going on that none of us is
>aware of. That's also a possibility, as I've seen this language in a
>textbook. Unless the textbook author was merely parroting the unclear
>language from Microsoft, which I guess is possible too.
>


The problem is something doesn't work the way you expect. This has
occurred before.

regards
A.G.

Reply With Quote
  #41 (permalink)  
Old 11-08-2010, 10:40 PM
Ari Silverstein
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Mon, 08 Nov 2010 15:46:52 -0500, Registered User wrote:

> You are confusing authentication and authorization. Reading about
> roles and memberships may provide some insights.
>
>>Either the passage is trivial (unruh's interpretation, and for now I
>>have to agree with him), or, there's more going on that none of us is
>>aware of. That's also a possibility, as I've seen this language in a
>>textbook. Unless the textbook author was merely parroting the unclear
>>language from Microsoft, which I guess is possible too.
>>

>
> The problem is something doesn't work the way you expect. This has
> occurred before.
>
> regards
> A.G.


Yeah, I remember when Ray was trolling the fitness and weights
newsgroups and BBs trying to get medical advice on why his one of his
nuts hurt. He refused to admit to what was an obvious fact to all of
us that was when you whack-off 6-10x/day, and are RHanded, chances are
your going to have a sore right testicle. lol

True story btw.

https://secure.wikimedia.org/wikiped...ser:Raylopez99
--
My Medline articles - http://tinyurl.com/34r38aq

Reply With Quote
  #42 (permalink)  
Old 11-08-2010, 10:48 PM
RayLopez99
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Nov 9, 12:40*am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:

> Yeah, I remember when Ray was trolling the fitness and weights
> newsgroups and BBs trying to get medical advice on why his one of his
> nuts hurt. He refused to admit to what was an obvious fact to all of
> us that was when you whack-off 6-10x/day, and are RHanded, chances are
> your going to have a sore right testicle. lol
>
> True story btw.
>
> https://secure.wikimedia.org/wikiped...ser:Raylopez99
> --
> My Medline articles -http://tinyurl.com/34r38aq


Somebody named Ari Silverstein is really pissed at you using his name
here, ********.

Turns out I sprained by back--nerves from the back cross at your nuts,
doc said. A real doctor, not a pretend one like you, wacko.

> My Medline articles - http://tinyurl.com/34r38aq


"Post-traumatic middle cerebral artery occlusion.
S A Hollin, M H Sukoff, A Silverstein, S W Gross " (Talk about an
obscure article--I guess if you pick an obscure enough subject, nobody
will bother challenging your findings)

Sukoff? Gross? Your co-authors are named Suk-off and Gross? Fitting
for a fake jew doctor like you. Like I said, the real Dr. Silverstein
is going to come after your sorry *** for disparaging his name.

RL

Reply With Quote
  #43 (permalink)  
Old 11-09-2010, 10:49 PM
Ari Silverstein
Guest
 
Posts: n/a
Default Re: Anybody know how https *really* works? I didn't think so

On Mon, 8 Nov 2010 14:48:39 -0800 (PST), RayLopez99 wrote:

> On Nov 9, 12:40*am, Ari Silverstein <AriSilverst...@yahoo.com> wrote:
>
>> Yeah, I remember when Ray was trolling the fitness and weights
>> newsgroups and BBs trying to get medical advice on why his one of his
>> nuts hurt. He refused to admit to what was an obvious fact to all of
>> us that was when you whack-off 6-10x/day, and are RHanded, chances are
>> your going to have a sore right testicle. lol
>>
>> True story btw.
>>
>> https://secure.wikimedia.org/wikiped...ser:Raylopez99
>> --
>> My Medline articles -http://tinyurl.com/34r38aq

>
> Somebody named Ari Silverstein is really pissed at you using his name
> here, ********.


Did oo tell on me? lol

> Turns out I sprained by back--nerves from the back cross at your nuts,
> doc said. A real doctor, not a pretend one like you, wacko.


Sprained your back, whacking off? DuOD have you heard of Fleshlight?

> Sukoff? Gross? Your co-authors are named Suk-off and Gross? Fitting
> for a fake jew doctor like you. Like I said, the real Dr. Silverstein
> is going to come after your sorry *** for disparaging his name.
>
> RL


Oh, no, well tell him I'm at the lounge tonight.

*rofl*
--
http://www.youtube.com/watch?v=hVvO2xdW2JY
<http://1.bp.blogspot.com/_WhnvofcHy48/S1x6cF7m4DI/AAAAAAAAA0k/Qc0Fd0ZSmk4/s1600-h/RIMG0018-1.JPG>

Reply With Quote
Reply


« Virus?? | Re: A Wolf In Sheep's Clothing - New Threat »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
internet on laptop works for like 2 minutes then stops nikki3973 Network Troubleshooting 2 11-16-2011 10:12 AM
Wireless Adapter Only Works on One USB Port mtomme Troubleshooting 6 11-12-2011 02:17 AM
Texting Works When Mobile Coverage Doesn't Snapper aus.comms.mobile 35 10-10-2008 03:27 PM
THIS WORKS FOR SOMEBODY - WHY NOT YOU?yQHSd Deacon alt.internet.wireless 3 07-26-2005 09:03 PM


All times are GMT. The time now is 10:58 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45