Re: [twsocket] TWSocketServer and TWSocket Port
RTT wrote: Man in the Middle attacks don't work if the man in the middle don't know how to handle the encrypted data/protocol he is intercepting. True, and how do you manage that is not happening? Can't be happening because the man in the middle can't generate valid data, or alter intercepted data maintaining its validity, if he can't break the encrypt algorithm in time to inject his packets of data. With a stolen key that's easy. This is also valid for SSL. No, the difference is that SSL is able to detect the man in the middle. Usually the certificate includes some information like the domain name or IP address, so even if the attacker used a stolen certificate peer verification would fail and the connection won't be established. Closed standards are inheritable much more secure than open standards. That's nothing but security through obscurity: http://en.wikipedia.org/wiki/Security_through_obscurity That's just a theoretic argument, not an undoubted reality. There are enough examples mentioned in that wiki article to prove the opposite. In this type of projects the use of the of this standard is wrong. He just don't need the SSL implementation complexity, nor the result slow to start communication, just to get his data secure. I don't know what _he needs, if _you want to invent your own security standards feel free to do so. SSL/TLS is used and accepted world-wide. Neither do I, but I'm assuming he only need what a generic data communication service needs in terms of security. Pass data in a way it can't be tampered/understood, if intercepted by someone outside the communication points. I'm not replying to you, Arno, to be impertinent. Far from that. It's just my opinion that a symmetric keyed algorithm, such as AES or Blowfish, with a clever time volatile salt added to the key, is enough for this case in particular. The weak point here is key delivery. Keys should be changed very frequently. How do you make sure that keys are not stolen and received by the right people? They should never be hard coded in the application. SSL negotiates a unique symmetric key per session, so even if the key was found by brute force it can be used only to decrypt a single SSL session. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
It is a very simple monitoring system. SSL is okay for this as far as I am concerned. As others have say to you already, just concentrate your efforts in the development of the client and server code. Leave the data encryption to the last stage of the project. Starting with the SSL components, just because you want your data exchange to have some kind of protection in the final implementation, is wrong. Start it simple, and increase the complexity after you are comfortable with what you have already. For me the mosty important here is to learn one thing at a time. So, leave SSL apart for now. If I listen you, I have to start learning something else also. Your way of handling is not going to help me to understand the ICS sockets better it will make things more complicated and difficult. Where I said that. It's exactly the contrary. You are the one that insist in the usage of a complex component from the start. A question, Would you help me with few code examples if I do exactly what you are saying? You have all you need to start in the ICS standard samples, and Francois and others already pointed you to the correct ones, and even gave you code examples to specific questions, but you continue asking the same questions, over and over again. My feel is that your knowledge of the Delphi language itself is very limited, and this is not the right place to learn it. If you really want to help me, Post me few examples (don't explain) of how to? - Send command to the client socket by using it's computer name It was been explained to you already, more than one time. - Recieve WMI information from the client socket == I am not asking you to help with WMI, I can do it myself, all I need is how to connect to WMI from server socket to the client socket and receive the data. Already explained too. Use the ongoing client to server connection to send data to the client. - How to handle the errors of sockets (example: if client loses the connection it gives error in the window, how this can be handled in the sockets). Just ask this directly in the list. I'm not an expert in the subject. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
With a stolen key that's easy. Sure, and this is exactly what SSL try to circumvent. But not so easy if the encrypt key is not a fixed value, but a variable one. The attacker will need to stole the client or server code and reverse engineering it too. This is also valid for SSL. No, the difference is that SSL is able to detect the man in the middle. Usually the certificate includes some information like the domain name or IP address, so even if the attacker used a stolen certificate peer verification would fail and the connection won't be established. Man in the middle attacks intercepts data in a transparent way, in the middle of the line and in a ongoing communication . The in the middle IP address is not even a variable for the peer verification. I'm not replying to you, Arno, to be impertinent. Far from that. It's just my opinion that a symmetric keyed algorithm, such as AES or Blowfish, with a clever time volatile salt added to the key, is enough for this case in particular. The weak point here is key delivery. Keys should be changed very frequently. How do you make sure that keys are not stolen and received by the right people? They should never be hard coded in the application. SSL negotiates a unique symmetric key per session, so even if the key was found by brute force it can be used only to decrypt a single SSL session. True, but you can also have you own key exchange method too. And you would reply, so why not use the already available SSL protocol that do exactly that? Because everyone know how it works, and if I'm going to develop my Client and Server, I don't need to use something that is public available. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
So, leave SSL apart for now. I don't see any reasons to leave the SSL because I already spent 3 weeks with making lot of tests and have learned much about SSL and I will continue. I am also hoping that you guys try to understand my approach instead of asking to leave it. SSL is good enough for me as Arno also has convinced me about it. If I can figure out few things than I will have no problems of doing my project to the end because I am already very close to it. My feel is that your knowledge of the Delphi language itself is very limited, and this is not the right place to learn it. This is something which isn't easy to tell about what is the limited knowledge. Every programmer is good in some fields and the network communication is not mine. It was been explained to you already, more than one time. You probably have which I haven't understand i bit of it. Explaining is one thing and understanding is another. And expecting that everything is as simple as you have explained and expecting that the person is capable of understanding exactly what you are saying is also another thing. Everything will work perfectly when you guys stop treating me as a guru and try to give me samples of what can be done and how it can be used. Please MARK ON THIS!! I am not asking anyone to write code for me, I can do that myself. All I am asking is explain it with a sample of what can be done and how can be done, guide me to the samples, guide me to the direction. I am most of the time getting one explanation and 4 different directions such as yours telling me to use something else than what I am trying to do. And. Please let's quit this here and continue to some other subjects. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
SOLVED!! -Original Message- From: daniel cc Sent: Thursday, January 27, 2011 7:33 PM To: ICS support mailing Subject: Re: [twsocket] TWSocketServer and TWSocket Port So, leave SSL apart for now. I don't see any reasons to leave the SSL because I already spent 3 weeks with making lot of tests and have learned much about SSL and I will continue. I am also hoping that you guys try to understand my approach instead of asking to leave it. SSL is good enough for me as Arno also has convinced me about it. If I can figure out few things than I will have no problems of doing my project to the end because I am already very close to it. My feel is that your knowledge of the Delphi language itself is very limited, and this is not the right place to learn it. This is something which isn't easy to tell about what is the limited knowledge. Every programmer is good in some fields and the network communication is not mine. It was been explained to you already, more than one time. You probably have which I haven't understand i bit of it. Explaining is one thing and understanding is another. And expecting that everything is as simple as you have explained and expecting that the person is capable of understanding exactly what you are saying is also another thing. Everything will work perfectly when you guys stop treating me as a guru and try to give me samples of what can be done and how it can be used. Please MARK ON THIS!! I am not asking anyone to write code for me, I can do that myself. All I am asking is explain it with a sample of what can be done and how can be done, guide me to the samples, guide me to the direction. I am most of the time getting one explanation and 4 different directions such as yours telling me to use something else than what I am trying to do. And. Please let's quit this here and continue to some other subjects. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
RTT wrote: With a stolen key that's easy. Sure, and this is exactly what SSL try to circumvent. But not so easy if the encrypt key is not a fixed value, but a variable one. The attacker will need to stole the client or server code and reverse engineering it too. This is also valid for SSL. No, the difference is that SSL is able to detect the man in the middle. Usually the certificate includes some information like the domain name or IP address, so even if the attacker used a stolen certificate peer verification would fail and the connection won't be established. Man in the middle attacks intercepts data in a transparent way, in the middle of the line and in a ongoing communication . The in the middle IP address is not even a variable for the peer verification. Without the certificate(s) and private key(s) he may intercept transparently as long as he likes. When he wants to decrypt the session on the fly he has to go thru the handshake process on behave of the victim by presenting the stolen certificate(s), acting as a proxy server. I'm not replying to you, Arno, to be impertinent. Far from that. It's just my opinion that a symmetric keyed algorithm, such as AES or Blowfish, with a clever time volatile salt added to the key, is enough for this case in particular. The weak point here is key delivery. Keys should be changed very frequently. How do you make sure that keys are not stolen and received by the right people? They should never be hard coded in the application. SSL negotiates a unique symmetric key per session, so even if the key was found by brute force it can be used only to decrypt a single SSL session. True, but you can also have you own key exchange method too. And you would reply, so why not use the already available SSL protocol that do exactly that? Exactly. Because everyone know how it works, That's the point, bugs in proprietary protocols are usually not found as fast as bugs in public protocols (by the good guys). and if I'm going to develop my Client and Server, I don't need to use something that is public available. Of course you can, I just doubt that it's more secure than properly implemented SSL/TLS. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
On 27-01-2011 18:27, Arno Garrels wrote: Without the certificate(s) and private key(s) he may intercept transparently as long as he likes. When he wants to decrypt the session on the fly he has to go thru the handshake process on behave of the victim by presenting the stolen certificate(s), acting as a proxy server. But stolen keys is your previous argument. After you have it, decoding the data is much more easy if you know how the key is used to encrypt/decrypt it. Knowing the encrypt algorithm is also important to, with brute-force, decode the data, if you just want to see what the communication is all about. That's why the security agencies don't like closed protocols. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
RTT wrote: That's why the security agencies don't like closed protocols. Nobody knows whether a proprietary security protocol has some built-in universal key, given i.e. to a security agency. That's also why users should not rely on proprietary security protocols and cryptographic algorithms. AFAIK, serious companies won't buy such software, perhaps except they are big enough to verify from the source code that it's safe to use. So using open, well known standards is a selling point too, at least in the league I'm playing. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] TWSocketServer and TWSocket Port
Hello all, If I have server and client component at one side, server and client component at the other side Side A: TWSocketServer and TWSocket == Acts as client Side B: TWSocketServer and TWSocket == Acts as server Side A connects automatically to the site B because site A is acting as client and site B is acting as Server. Now, Site B which is the server needs to have port 443 open (I am using SSL sockets in both sites) in order to be able to receive the client (site A). When the site A connects to the site B it informes ip and the port, can this informed port be used for connecting from site B to the site A (like reverse)? Here is the goal, I want to be able to avoid opening the ports at site A, I would like to use the same port which the site A uses when it connects to the site B. Could you please let me know if this is possible with SSL components? thanks -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
I would like to use the same port which the site A uses when it connects to the site B. Yes, you can have a same listening port at both sides. -- francois.pie...@overbyte.be http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
I would like to use the same port which the site A uses when it connects to the site B. Yes, you can have a same listening port at both sides. Thanks for the response. Yes, I know I can listen same ports but my question is, can I do that at Site A without opening any ports at the routers/firewalls? The goal is to have ports open only at site B which is the server. I am I am explaining this correct. Thanks -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
I would like to use the same port which the site A uses when it connects to the site B. Yes, you can have a same listening port at both sides. Thanks for the response. Yes, I know I can listen same ports but my question is, can I do that at Site A without opening any ports at the routers/firewalls? As soon as you have a listening port on a LAN accessible from the outside thru a firewall or NAT router, you have to open the port. The goal is to have ports open only at site B which is the server. The use only one socket and make all communications over that unique connection. No other choise in your situation. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
The use only one socket and make all communications over that unique connection. No other choise in your situation. Thanks Francois, Please do correct me if I am wrong. Now, You are saying that it is not possible to have only server port opened, I need to open port 443 in both sites. Site A port 443 need to be open from PC and from the firewall. Site B port 443 need to be open from PC and from firewall. If this is correct than, means there are no options to reverse the communication between the sockets and also means the client pc cannot be accessed in any ways. Means also, I cannot run remote client windows Command prompt from the server. Means also, I cannot use WMI to collect the client system info or modify the client system info. I am just hoping that I am totally wrong!! -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
Please do correct me if I am wrong. Now, You are saying that it is not possible to have only server port opened, I need to open port 443 in both sites. Site A port 443 need to be open from PC and from the firewall. Site B port 443 need to be open from PC and from firewall. No, I didn't meant to say that. I said: You can have a listing port 443 in Site A and/or in Side B as you like. As soon as you have a listening port on any side, then to be able to reach that port from the outside, you have to open the port in the firewall/router/whatever on the box which is on the physical link and also on the computer itself. This is not related to ICS but simply how TCP/IP networking works. If this is correct than, means there are no options to reverse the communication between the sockets and also means the client pc cannot be accessed in any ways. A client PC can never been reached. This is exactly what make the difference between a client and a server. A server is the one accepting incomming connections. The client is the one initiating outgoing connections. As far as firewall/routing is concerned, whatever the direction of a connection, the firewall/router must be configured to accept the connection. Usually all outgoing connections are open and all incomming connections are closed. Means also, I cannot run remote client windows Command prompt from the server. Not correct. The client can open the connection with the server. Then the server may send commands to the client, using the established connection, to instruct the client to run a command prompt (with appropriate I/O redirection so that input/output goes from/to the connection between client and server. Means also, I cannot use WMI to collect the client system info or modify the client system info. Not correct. I am just hoping that I am totally wrong!! Almost. I think you have not figured the software layers in your head. One thing is the link layer (the connection between client and server). Another think is the application layer (commands/responses transported by the link, in both direction) -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
(I am using SSL sockets in both sites) Why you insist in use SSL if the client and server applications are coded by you?!! Why use a standard that only exist because of the need to connect many different implementations of clients to many different implementations of servers? You will be much more secure if you encode your data, with your own method, using a much more powerful encrypt algorithm than the used by SSL. And you even get ride of third-party code, such as the OpenSSL DLLs. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
RTT wrote: (I am using SSL sockets in both sites) Why you insist in use SSL if the client and server applications are coded by you?!! Why use a standard that only exist because of the need to connect many different implementations of clients to many different implementations of servers? You will be much more secure if you encode your data, with your own method, using a much more powerful encrypt algorithm than the used by SSL. SSL/TLS aktually uses common, powerful and strong encryption algorithms. However secure peer to peer communication is much more than just that. SSL security includes, for instance, peer verification and protects against Man in the Middle attacks. http://en.wikipedia.org/wiki/Transport_Layer_Security http://en.wikipedia.org/wiki/Public-key_cryptography -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
(I am using SSL sockets in both sites) Why you insist in use SSL if the client and server applications are coded by you?!! Why use a standard that only exist because of the need to connect many different implementations of clients to many different implementations of servers? You will be much more secure if you encode your data, with your own method, using a much more powerful encrypt algorithm than the used by SSL. And you even get ride of third-party code, such as the OpenSSL DLLs. -- I Insist because I have no other options because I don't have knowledge of doing it in the other way. Is that clear enough for you? -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
Thanks Arno, Your answer is just a music to my ears :) RTT wrote: (I am using SSL sockets in both sites) Why you insist in use SSL if the client and server applications are coded by you?!! Why use a standard that only exist because of the need to connect many different implementations of clients to many different implementations of servers? You will be much more secure if you encode your data, with your own method, using a much more powerful encrypt algorithm than the used by SSL. SSL/TLS aktually uses common, powerful and strong encryption algorithms. However secure peer to peer communication is much more than just that. SSL security includes, for instance, peer verification and protects against Man in the Middle attacks. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
SSL/TLS aktually uses common, powerful and strong encryption algorithms. However secure peer to peer communication is much more than just that. SSL security includes, for instance, peer verification and protects against Man in the Middle attacks. Man in the Middle attacks don't work if the man in the middle don't know how to handle the encrypted data/protocol he is intercepting. Closed standards are inheritable much more secure than open standards. In this type of projects the use of the of this standard is wrong. He just don't need the SSL implementation complexity, nor the result slow to start communication, just to get his data secure. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
RTT wrote: SSL/TLS aktually uses common, powerful and strong encryption algorithms. However secure peer to peer communication is much more than just that. SSL security includes, for instance, peer verification and protects against Man in the Middle attacks. Man in the Middle attacks don't work if the man in the middle don't know how to handle the encrypted data/protocol he is intercepting. True, and how do you manage that is not happening? Closed standards are inheritable much more secure than open standards. That's nothing but security through obscurity: http://en.wikipedia.org/wiki/Security_through_obscurity In this type of projects the use of the of this standard is wrong. He just don't need the SSL implementation complexity, nor the result slow to start communication, just to get his data secure. I don't know what _he needs, if _you want to invent your own security standards feel free to do so. SSL/TLS is used and accepted world-wide. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
Man in the Middle attacks don't work if the man in the middle don't know how to handle the encrypted data/protocol he is intercepting. True, and how do you manage that is not happening? Can't be happening because the man in the middle can't generate valid data, or alter intercepted data maintaining its validity, if he can't break the encrypt algorithm in time to inject his packets of data. This is also valid for SSL. Closed standards are inheritable much more secure than open standards. That's nothing but security through obscurity: http://en.wikipedia.org/wiki/Security_through_obscurity That's just a theoretic argument, not an undoubted reality. In this type of projects the use of the of this standard is wrong. He just don't need the SSL implementation complexity, nor the result slow to start communication, just to get his data secure. I don't know what _he needs, if _you want to invent your own security standards feel free to do so. SSL/TLS is used and accepted world-wide. Neither do I, but I'm assuming he only need what a generic data communication service needs in terms of security. Pass data in a way it can't be tampered/understood, if intercepted by someone outside the communication points. I'm not replying to you, Arno, to be impertinent. Far from that. It's just my opinion that a symmetric keyed algorithm, such as AES or Blowfish, with a clever time volatile salt added to the key, is enough for this case in particular. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
RTT, First, I am not building a bank system where I would need extremely high security. It is a very simple monitoring system. SSL is okay for this as far as I am concerned. You may be right or may not. For me the mosty important here is to learn one thing at a time. If I listen you, I have to start learning something else also. Your way of handling is not going to help me to understand the ICS sockets better it will make things more complicated and difficult. A question, Would you help me with few code examples if I do exactly what you are saying? No!! I didn't think so. My motto is, If you aren't gonna help, don't bother because I already have got too many ideas and ways to use as the blowfish which you are talking about is one of them. Right now, I don't need ideas which makes things more difficult and complicated, I only need help for learning the ICS socket communication. If you really want to help me, Post me few examples (don't explain) of how to? - Send command to the client socket by using it's computer name - Recieve WMI information from the client socket == I am not asking you to help with WMI, I can do it myself, all I need is how to connect to WMI from server socket to the client socket and receive the data. - How to handle the errors of sockets (example: if client loses the connection it gives error in the window, how this can be handled in the sockets). This samples could be uploaded to the ICS component site where every starter would have possibility to use them as help source. Thanks -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TWSocketServer and TWSocket Port
RTT: Why you insist in use SSL if the client and server applications are coded by you?!! Why use a standard that only exist because of the need to connect many different implementations of clients to many different implementations of servers? It's easy to implement encryption but you'll have to add key exchange also and exclude possibility of key sniffing what is quite harder. -- Anton -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be