HI
I think you know what I am talking about.
Well I read this about in a Paper by Scheiner
An Analysis of SSL 3.0 Protocol
Actually I am an Indian Student doing my Internship in France. We
are working on extraction of Instrusion Detection Signatures from
Failed Proofs of Cryptographic Protocols. FOr that I needed to
know each and every thing associated with SSL and in knowing that
I was trying to figure out what may be possible attacks and
vulnerabilities.
Please see below also:
But even , SSL Encrypted web urls can be subjected to traffic
analysis attack
bye
Shalendra
Traffic analysis is possible, of course. In case of a simple
SSL protected web server the attacker can identify the server
you are talking to, and figure out the size and number of the
downloaded pages. If (s)he knows what sort of pages are on the
server (s)he may reconise which ones have been accessed. But
it's not a significant security risk in general.
Yes! You are 100% right and also I did nt take this thing in
account in my project since traffic analysis is passive and can be
done from anywhere.
But I would like to know do you have any program or script for
this:
since a client and a server have SSL Encrypted Communication but
URL requests if encrypted using stream ciphers, we can know the
length of URLs and you said
intruder or third party can identify the SERVER(HOW???)
and if it identifies the server and a script/program can be
written to know how many pages of a given URL length, are on that
sever and the attaker can figure out what sort of pages may have
been accessed.
Thanks for Discussion
Shalendra
Sandor
--
Sandor Nagy,CISSP,Senior Software Engineer, Sophos Anti-Virus
Real Business/CBI Growing Business Awards: Company of the Year
Email: [EMAIL PROTECTED], Tel: 01235 559933, Web:
www.sophos.com
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
_
There is always a better job for you at Monsterindia.com.
Go now http://monsterindia.com/rediffin/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]