WebApp Sec mailing list archives

Re: SSL Question

From: RSnake <rsnake () shocking com>
Date: Mon, 22 Dec 2003 13:50:33 -0800 (PST)


        Once again, here is the transactional model:

Client hello ->
<- Server hello
<- Server certificate
<- serverHelloDone
ClientKeyExchange E(Kserv, PK) ->
ChangeCipherSpec ->
FIN Handshake (MAC) ->
<- ChangeCipherSpec
<- FIN Hanshake (MAC)
Application_data HTTP request -> (GET /?data HTTP/1.0\n\n)
<- Application_data HTTP response (HTTP/1.1 200 OK\n...)
Alert : close_notify ->
<- Alert : close_notify


On Mon, 22 Dec 2003, bob wrote:

| Date: Mon, 22 Dec 2003 13:23:17 -0800
| From: bob <bob () calweb com>
| To: webappsec () securityfocus com
| Subject: SSL Question
|
| If I send out an https link with authentication information
| in it, is the initial HTTPS Get command with the tokens sent
| in the clear or does this happen after the SSL session
| handshake is established ?
|

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.

Current thread:

SSL Question bob (Dec 22)
- Re: SSL Question RSnake (Dec 22)
- <Possible follow-ups>
- Re: SSL Question Tom Stowell (Dec 22)