Re: Re: Basic SSL question...

[Shalendra Chhabra]

HI
I think you know what I am talking about.
Well I read this about in a Paper by Scheiner
An Analysis of SSL 3.0 Protocol
Actually I am an Indian Student doing my Internship in France. We 
are working on extraction of Instrusion Detection Signatures from 
Failed Proofs of Cryptographic Protocols. FOr that I needed to 
know each and every thing associated with SSL and in knowing that 
I was trying to figure out what may be possible attacks and 
vulnerabilities.
Please see below also:


 But even , SSL Encrypted web urls can be subjected to traffic
 analysis attack
 bye
 Shalendra

Traffic analysis is possible, of course. In case of a simple
SSL protected web server the attacker can identify the server
you are talking to, and figure out the size and number of the
downloaded pages. If (s)he knows what sort of pages are on the
server (s)he may reconise which ones have been accessed. But
it's not a significant security risk in general.


Yes! You are 100% right and also I did nt take this thing in 
account in my project since traffic analysis is passive and can be 
done from anywhere.
But I would like to know do you have any program or script for 
this:
since a client and a server have SSL Encrypted Communication but 
URL requests if encrypted using stream ciphers, we can know the 
length of URLs and you said
intruder or third party can identify the SERVER(HOW???)
and if it identifies the server and a script/program can be 
written to know how many pages of a given URL length, are on that 
sever and the attaker can figure out what sort of pages may have 
been accessed.

Thanks for Discussion
Shalendra








Sandor


--
Sandor Nagy,CISSP,Senior Software Engineer, Sophos Anti-Virus
Real Business/CBI Growing Business Awards: Company of the Year
Email: [EMAIL PROTECTED], Tel: 01235 559933, Web: 
www.sophos.com

__
OpenSSL Project 
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager   
[EMAIL PROTECTED]

_
There is always a better job for you at Monsterindia.com.
Go now http://monsterindia.com/rediffin/

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: basic SSL

[Hegde, Ramdas]

There are code examples in the openssl installation under the apps
directory.
If you need a more detailed example, you can check out Eric Rescorla's book
SSL and TLS. It has a complete chapter on coding and the code examples
from the book are available  at http://www.rtfm.com/sslbook/examples

Ramdas

-Original Message-
From: Aengus McIntyre [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 30, 2001 6:11 AM
To: [EMAIL PROTECTED]
Subject: basic SSL


Hello all,

I am relatively new to SSL and am cuurenntly researching it for my project.
I am enquiring as to whether anyone would happen to know any useful links
which contain a simple working example , or indeed, has a simple appliction
of their own,   just to get me started.

If I could see an SSL apllication myself, I reckon the SSL documentation
would be much easier to comprehend.
Thanking you in advance for your replies.

Aengus



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]