On Sat, 25 Jul 2015 23:34:11 -0400 Anton Aylward <opensuse@antonaylward.com> wrote:
Reading through the paper, I noticed that using HTTPS is considered an advisable security strategy. While I don't doubt that sending passwords via SSL is more secure than sending them as unencrypted plain text, I sometimes question the security of SSL. My understanding of the protocol is that a server sends its certificate to the client unencrypted to initiate the connection. If this is right, then an SSL certificate can be intercepted, and the encrypted internet traffic can be decrypted.
Its not that simple. The 'key exchange' problem existed for centuries. The Diffie & Hellman key Exchange system solved that https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange http://security.stackexchange.com/questions/45963/diffie-hellman-key-exchang...
See also "Authenticated Diffie-Hellman"
In practice, its used to set a session key which is then used to create a short lived key that is discarded after N packets, and another key generated by means of the session key.
The public certificate is a convenience; strictly speaking that is RSA. There are other ways of doing that part of it. Strictly speaking you don't need a certificate to use SSL/TLS (see PSK, Kerberos and even anonymous cipher suites).
Also: check the difference between SSL, TLS and HTTPS
HTTPS is application layer protocol.
I suspected that it wasn't that simple. Thanks for sharing this information. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org