Results 1 to 7 of 7

Thread: Why is a "secure connection" (SFTP, HTTPS, etc.) actually secure?

  1. #1
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default Why is a "secure connection" (SFTP, HTTPS, etc.) actually secure?

    The problem with a non-secure website is that anyone on your internet connection can look for the packets you send and put the pieces back together. It's easy, for example, to silently steal passwords if you're sending them to a non-secure site.

    And a secure connection encrypts that data. Let's assume the algorithm is not hacked. Ok, it works. The idea is simple: you and the server share an encryption key and all of the data transmitted is meaningless until decrypted with that key. Simple. If anyone is listening in, all they seem is useless characters.

    But... what I don't understand is why that key is secure in the first place. If someone was listening to my entire session (let's say I go to my bank's website, I get the encryption key [unencrypted, right?], and then I send my now encrypted password, and I do my stuff, and I leave the coffee shop)... then, with all of the information, wouldn't they be able to see it, assuming they had the right methods to apply the key to the data?

    Why is the key itself secure? Or is that just an extra measure used to make it one layer harder to hack people?


    Moderator's note: This topic borders on hacking topics; my intention in posting it is to know about security, not to ask how to hack anything-- I'm interested in whether hacking in a certain situation is possible, not how to do it. This is not a hacking website, so please do not post any direct instructions for how to hack.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  2. #2
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,709
    Thanks
    82
    Thanked 90 Times in 88 Posts

    Default

    Not being any expert it sounds like it is just an extra step which is important. It also is a way for corporations to let customers know that they are taking at least that one step to ensure their customer's information is protected.
    To choose the lesser of two evils is still to choose evil. My personal site

  3. The Following User Says Thank You to james438 For This Useful Post:

    djr33 (02-06-2013)

  4. #3
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    SSL really is fairly secure, even in the circumstance you describe. There are two keys: public and private. One encrypts, the other decrypts. They're paired, but you can't infer one from the other. The server can send you the public key (and your browser can send the server its public key), and it won't matter in the least if someone intercepts it, because it can't decrypt anything.

  5. The Following User Says Thank You to traq For This Useful Post:

    djr33 (02-06-2013)

  6. #4
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    Aha! So each end of the connection can only encrypt, except with it's local-only decryption key. I've seen those terms (private/public key) and not known what they meant.
    That's cool. I hadn't thought of it that way, but it makes sense!


    Does the private key change sometimes? To avoid brute force problems, it seems to make sense to switch it once in a while.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  7. #5
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    You can change your private key whenever you like, but you have to issue new public keys.

  8. #6
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    I mean, does it automatically rotate (and along with that, send the new public keys)? Or is a single computer generally associated with a single private (and public) key for a long time?
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  9. #7
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    A distinction: the server's (and sometimes, the client's) public key is used only to negotiate a secure connection. During this "handshake", the client and server use the the key - along with other data unique to the connection - to create session keys, which will be used to encrypt/decrypt later messages.

    To answer the question, SSL is stateful - as opposed to the "stateless" HTTP protocol - the "handshake" only needs to happen once.
    However, either end can decide to renegotiate (discard the current SSL session and start a new one) at any time. If this generally only happens under certain conditions, or if it "rotates" regularly, I don't know.

  10. The Following User Says Thank You to traq For This Useful Post:

    djr33 (02-07-2013)

Similar Threads

  1. Problem with Tooltip v2.0 on Secure Connection
    By KevScott in forum Dynamic Drive scripts help
    Replies: 3
    Last Post: 11-09-2010, 12:14 PM
  2. https and non secure alert
    By paragkamat in forum Dynamic Drive scripts help
    Replies: 3
    Last Post: 04-17-2009, 08:10 PM
  3. Replies: 0
    Last Post: 04-06-2008, 07:47 PM
  4. "Secure" Attribute
    By dvarner in forum JavaScript
    Replies: 2
    Last Post: 03-10-2008, 09:57 PM
  5. Switch Menu - "Missing Secure Attribute"
    By dvarner in forum Dynamic Drive scripts help
    Replies: 0
    Last Post: 03-07-2008, 04:27 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •