Date: prev next · Thread: first prev next last
2013 Archives by date, by thread · List index

On Tue, October 1, 2013 11:40, Felmon Davis wrote:

am I mistaken? I thought any https address is already encrypted.


There is encryption and then there is ENCRYPTION.  PKI certificate keys are
only used to authenticate and to establish a cipher and share a secret session
key between two hosts.  If the negotiated key/cipher is low quality then the
resulting https session data stream may be compromised with relative ease.

Unfortunately many, if not most, web servers are configured to allow low
quality session encryption.  Likewise many browsers are still shipped with
support for low quality ciphers.  Both these conditions are in large measure a
consequence of early US government restrictions on cipher use by the public
and some places, France?, still have them I think.  So once the https session
handshaking is complete using your RSA-4096 public key you can still end up
running an https session encrypted with an MD5 level cipher.  And with few
exceptions you have very little control over what your browser chooses to use.

However, since you know the security level and cipher choices at both ends of
your ssh tunnel (because you set them up in the first place) then that link is
as secure as can be made.  As it is the public access point where the greatest
danger of eavesdropping occurs a private ssh tunnel secures the weakest link.

DNS leaking is another security issue relating to public wifi hotspots but
that is a story for another time.

***          E-Mail is NOT a SECURE channel          ***
James B. Byrne      
Harte & Lyne Limited
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
All messages sent to this list will be publicly archived and cannot be deleted


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.