Re: [chat] "Steal" data before encryption

[Matt M <m@xxxxxxxxxxxxx>]

Bear in mind my understanding of SSL specifically is limited, but here goes:

At 22:07 10/07/2003, Phil Scarratt wrote:
> Hi All
>
> Member of main list for awhile ... new to slug chat...
>
> ...is it possible (however unlikely or difficult it might be - or even 
> pointless due to other easier methods of doing effectively the same thing) 
> for a hacker/attacker to get access to data entered into a form in a 
> browser on an SSL connection to a remote server BEFORE it is encrypted but 
> after the form submit has been clicked - so I guess what I am really 
> asking is when/where does the encryption occur (I presume the browser does it)

Presuming I understand correctly, SSL in your example is being used as a 
component of HTTPS (Secure HTTP), which is an application level transport 
protocol (Think of it as a secure "tunnel" for passing HTTP commands and 
data), therefore encryption occurs immediately before the readied HTTP 
payload (commands, plus, in your case, data) is transmitted. -- The 
encryption is inherent to the protocol, thus everything that goes over it 
gets encrypted, not just data, not just commands.

> and is it possible to get at the data via some "backdoor" before 
> encryption?????

Only if the client machine is compromised in some way. This could occur 
through any number of ways, including, as you noted below, reading data 
straight out of memory (difficult -- easier to use some form of software, 
or van eck phreaking). If you're worried about this, you shouldn't be using 
SSL for whatever you're transporting, and you should seriously consider how 
much your data is worth -- security is a science of trade offs (Yes, you 
could build a faraday cage and put your computer in a bank vault, with 
armed guards and no network connectivity, but what's the point if it only 
stores your mp3 collection? (or for that matter, credit card number)).

> or I guess this is really a browser vulnerability question...
>
> I know keystroke loggers exist and presumably the data must exist in 
> memory at some stage so looking at the memory might work...just a 
> hypothetical question really which came about from some research into 
> securing web apps that I am doing.

Security can be difficult. Not only do you have to ensure the security of a 
specific component, but the interaction of the components. There are really 
only two ways to ensure this: peer review (It's almost as good to use peer 
reviewed components, e.g. encryption algorithms, as long as you understand 
your 'glue' really, really well), and similarly, hiring a specialist 
security consultant (the latter is by no means foolproof, but helps to 
spread the liability :)).

If you're really wanting to get into security analysis, I'd recommend you 
get a copy of 'Security Engineering: A Guide to Building Dependable 
Distributed Systems' by Ross Anderson.

HTH.

Matt