Re: [chat] "Steal" data before encryption

[Phil Scarratt <fil@xxxxxxxxxxx>]

It was just a question that occured to me whilst looking into what was 
necessary for my app in particular. I'm in no way concerned that much 
about the data in my case, otherwise as you say why use SSL at all (or 
the web for that matter). It was just a hypothetical that I wondered 
about......might pick up a copy of the book you mentioned...

Thanks

fil

Matt M wrote:
> Bear in mind my understanding of SSL specifically is limited, but here 
> goes:
>
> At 22:07 10/07/2003, Phil Scarratt wrote:
>
> > Hi All
> >
> > Member of main list for awhile ... new to slug chat...
> >
> > ...is it possible (however unlikely or difficult it might be - or even 
> > pointless due to other easier methods of doing effectively the same 
> > thing) for a hacker/attacker to get access to data entered into a form 
> > in a browser on an SSL connection to a remote server BEFORE it is 
> > encrypted but after the form submit has been clicked - so I guess what 
> > I am really asking is when/where does the encryption occur (I presume 
> > the browser does it)
>
>
> Presuming I understand correctly, SSL in your example is being used as a 
> component of HTTPS (Secure HTTP), which is an application level 
> transport protocol (Think of it as a secure "tunnel" for passing HTTP 
> commands and data), therefore encryption occurs immediately before the 
> readied HTTP payload (commands, plus, in your case, data) is 
> transmitted. -- The encryption is inherent to the protocol, thus 
> everything that goes over it gets encrypted, not just data, not just 
> commands.
>
> > and is it possible to get at the data via some "backdoor" before 
> > encryption?????
>
>
> Only if the client machine is compromised in some way. This could occur 
> through any number of ways, including, as you noted below, reading data 
> straight out of memory (difficult -- easier to use some form of 
> software, or van eck phreaking). If you're worried about this, you 
> shouldn't be using SSL for whatever you're transporting, and you should 
> seriously consider how much your data is worth -- security is a science 
> of trade offs (Yes, you could build a faraday cage and put your computer 
> in a bank vault, with armed guards and no network connectivity, but 
> what's the point if it only stores your mp3 collection? (or for that 
> matter, credit card number)).
>
> > or I guess this is really a browser vulnerability question...
> >
> > I know keystroke loggers exist and presumably the data must exist in 
> > memory at some stage so looking at the memory might work...just a 
> > hypothetical question really which came about from some research into 
> > securing web apps that I am doing.
>
>
> Security can be difficult. Not only do you have to ensure the security 
> of a specific component, but the interaction of the components. There 
> are really only two ways to ensure this: peer review (It's almost as 
> good to use peer reviewed components, e.g. encryption algorithms, as 
> long as you understand your 'glue' really, really well), and similarly, 
> hiring a specialist security consultant (the latter is by no means 
> foolproof, but helps to spread the liability :)).
>
> If you're really wanting to get into security analysis, I'd recommend 
> you get a copy of 'Security Engineering: A Guide to Building Dependable 
> Distributed Systems' by Ross Anderson.
>
> HTH.
>
> Matt


--
Phil Scarratt