On Tue, October 1, 2013 11:40, Felmon Davis wrote: > hello, > > am I mistaken? I thought any https address is already encrypted. > > F.
There is encryption and then there is ENCRYPTION. PKI certificate keys are only used to authenticate and to establish a cipher and share a secret session key between two hosts. If the negotiated key/cipher is low quality then the resulting https session data stream may be compromised with relative ease. Unfortunately many, if not most, web servers are configured to allow low quality session encryption. Likewise many browsers are still shipped with support for low quality ciphers. Both these conditions are in large measure a consequence of early US government restrictions on cipher use by the public and some places, France?, still have them I think. So once the https session handshaking is complete using your RSA-4096 public key you can still end up running an https session encrypted with an MD5 level cipher. And with few exceptions you have very little control over what your browser chooses to use. However, since you know the security level and cipher choices at both ends of your ssh tunnel (because you set them up in the first place) then that link is as secure as can be made. As it is the public access point where the greatest danger of eavesdropping occurs a private ssh tunnel secures the weakest link. DNS leaking is another security issue relating to public wifi hotspots but that is a story for another time. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:[email protected] Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- To unsubscribe e-mail to: [email protected] Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
