February 20th, 2003, 08:38 PM
SSL security interception question
How secure are SSL connections really? Can some hacker along the way from a secure site from where data was sent from intercept the data between both a clients browser and the destination? For example, if I have a supercerthosting.com secure account and have a CGI accept credit cards over my https://supercerthosting.com/myaccount/mycgi.cgi can a hacker use another secure connection to trick the cgi into sending the info to
the hacker-made CGI? I have been very curious about this for a long time...
February 25th, 2003, 10:11 AM
How SSL works is thus:
Imagine A wants to send B a message
A says to B - I wan't to send you a message
B gives A it's public key
A encrypts a random message with that public key.
A send the message to B
B encrypts a part of that message using it's private key
B sends that back
A takes B's public key from the certificate (C) on B
A then decrypts the message using B's public key from C
If the message decrypts back to the original encrypted message then A has validated who B is through the use of C.
Now, if an untrusted person (D) sits between A and B, he can't understand that data unless he knows B's private key. The private key should never be disclosed, and therefore D shouldn't know it, and can't decipher the message. D could try to send a malformed packet of data, but SSL has another trick for combatting that. A and B agree on a message authorisation code (MAC) that is a code they use to identify either A or B as the message sender, so any message sent by D would just be ignored.
So, pretty secure... I heard that there is a possible 94 million combinations of private/public key pairs, so it's pretty secure.
February 25th, 2003, 11:41 AM
Thanks for response
OK, thanks, thats just the explanation I have been looking for. Thanks again!