"Marcus J. Ranum" wrote:
>
> Does anyone have a pointer to why the session ID in SSLV3 is
> in the clear, rather than encrypted? I'm sure there's a good
> reason for it (audit? logging? other...?) but I'm trying to
> pin down exactly why it was done that way. Can anyone point
> me in the right direction?
Because it is sent in the first message from the client
to the server. It is intended to short circuit the
SSL protocol handshake and reduce the number of messages
exchanged.
Since the client and server don't have a known shared secret yet,
we cannot encrypt the session-id.
eric
