Dissecting SSL handshake

CloneRanger · #1 June 20th, 2012, 05:00 PM

Quote:

Not everyone knows that the SSL handshake is not encrypted. When you think about it - there isn't other way, before the keys are exchanged the communication must be unencrypted. But I doubt many people think about it.

Not only the SSL handshake is plain-text, but also it contains rather interesting data. I decided to find out how much information can be retrieved from it.

https://idea.popcount.org/2012-06-16...-ssl-handshake

Test yours here

Quote:

Experiments index https://p0f.popcnt.org

#2 June 22nd, 2012, 04:00 PM

But the payload itself remains unreadable. Someone may be able to tell you're sending a facebook message (for instance) but they won't know what the message says. That's the point of SSL, isn't it?

If you want to be more anonymous, that's what tor and proxies are for. Tunnel your traffic through ssh, which encrypts everything inside the tunnel.

CloneRanger · #3 June 23rd, 2012, 07:41 PM

@ BrandiCandi

Hi, the concern though, is the "possibility" of browser fingerprinting etc.

#4 June 24th, 2012, 12:24 PM

Huh. If you're concerned about browser fingerprinting then you are certainly not going to rely on SSL to anonymize you.

The purpose of SSL is to prevent eavesdropping and tampering of traffic between a client and server. It's not to make you totally anonymous. The message is safe but you're not invisible. If you want to hide things like your browser and OS from websites, then you need to browse in private (IE and FF have those options, I'm sure others do too). In FF you can also tell websites that you don't want to be tracked. I have tested the latter option and when I land on a web server, they don't list my OS or browser. See the screenshot to prevent websites from tracking you in Firefox:

Name: ffprivacy.png
Views: 92
Size: 50.3 KB

Name: ffprivacy.png
Views: 92
Size: 50.3 KB

CloneRanger · #5 June 25th, 2012, 07:16 PM

@ BrandiCandi

Huh, well the reason i posted the link, was to show people that "maybe" didn't realise, SSL isn't as Anon as "some" may think.

Yeah, i have my FF sorted, thanks

chronomatic · #6 June 26th, 2012, 03:48 PM

Quote:

Originally Posted by CloneRanger

@ BrandiCandi

Huh, well the reason i posted the link, was to show people that "maybe" didn't realise, SSL isn't as Anon as "some" may think.

SSL has never been about anonymity. If people believe that, they have never understood the purpose of SSL. But, that's not the fault of SSL.

SSL has many problems (specifically with the PKI) but it does a good job as far as privacy is concerned.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search