#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    2
    Rep Power
    0

    SSL security interception question


    How secure are SSL connections really? Can some hacker along the way from a secure site from where data was sent from intercept the data between both a clients browser and the destination? For example, if I have a supercerthosting.com secure account and have a CGI accept credit cards over my https://supercerthosting.com/myaccount/mycgi.cgi can a hacker use another secure connection to trick the cgi into sending the info to
    the hacker-made CGI? I have been very curious about this for a long time...

    Thanks

    Blackcreek
  2. #2
  3. Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Oct 2001
    Location
    New Zealand
    Posts
    1,774
    Rep Power
    24
    How SSL works is thus:

    Imagine A wants to send B a message
    A says to B - I wan't to send you a message
    B gives A it's public key
    A encrypts a random message with that public key.
    A send the message to B
    B encrypts a part of that message using it's private key
    B sends that back
    A takes B's public key from the certificate (C) on B
    A then decrypts the message using B's public key from C
    If the message decrypts back to the original encrypted message then A has validated who B is through the use of C.

    Now, if an untrusted person (D) sits between A and B, he can't understand that data unless he knows B's private key. The private key should never be disclosed, and therefore D shouldn't know it, and can't decipher the message. D could try to send a malformed packet of data, but SSL has another trick for combatting that. A and B agree on a message authorisation code (MAC) that is a code they use to identify either A or B as the message sender, so any message sent by D would just be ignored.

    So, pretty secure... I heard that there is a possible 94 million combinations of private/public key pairs, so it's pretty secure.
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    2
    Rep Power
    0

    Thanks for response


    OK, thanks, thats just the explanation I have been looking for. Thanks again!

    blackcreek

IMN logo majestic logo threadwatch logo seochat tools logo