On Tue, Jun 15, 1999 at 08:38:25PM +0200, Bodo Moeller wrote:
> On Tue, Jun 15, 1999 at 02:06:34PM -0400, Timothy Canfield wrote:
>> I have heard that there is a context sent along with a client hello
>> message and that most browsers include the URL they are requesting. Is
>> this true?
> It is as accurate as the "Subject" line of your message.
Well, again I am reminded that is very hard to come up with a
statement that does not have the slightest hint of truth in it ...
The client hello message does not contain anything like a URL, but if
the client previously connected to the same server, it can include a
"session ID", which is just a random sequence of bytes created by the
server during the previous connection. Now if the client presents in
a client hello message a session ID that the attacker did not
previously see on the network, then (assuming that the attacker reads
every connection) the attacker can conclude that the client and server
did an SSL/TLS renegotiation during a previous connection; i.e. after
the initial handshake, in the encrypted part of the connection, a
second handshake was performed, which typically means that the client
requested during that connection a URL for which further
authentication (a client certificate) was necessary. But it should
have been easy to tell that renegotiation was going on already during
that previous connection, because the pattern of byte lengths of the
data sent by the respective parties is quite characteristic.
And, of course, even during an encrypted HTTP session there are many
hints to what is going on: The length of each request, and the length
of the reply (both a little fuzzy due to padding). If the server has
just a small number of static pages, then it's usually easy to tell
which ones are requested because there length differs. And if you
are querying your bank account via HTTPS, then an attacker may be able
to find out whether the balance has more than, say, three digits or not.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
