I have googled and not found anything appropriate. If anyone can supply
some keywords for my search, please do.
stunnel connects to news.newsguy.com on port 563. How can I know that this
transmission is encrypted?
--
buck
Printable View
I have googled and not found anything appropriate. If anyone can supply
some keywords for my search, please do.
stunnel connects to news.newsguy.com on port 563. How can I know that this
transmission is encrypted?
--
buck
buck wrote:[color=blue]
> I have googled and not found anything appropriate. If anyone can supply
> some keywords for my search, please do.
>
> stunnel connects to news.newsguy.com on port 563. How can I know that this
> transmission is encrypted?[/color]
Two options come to mind.
1. Do a packet capture with tcpdump, wireshark, etc., and watch the SSL
encryption type get negotiated. That part's always in the clear.
2. Although I haven't ever done it myself, crank up the debug level.
stunnel comes with its own documentation. I could be better, but check
out the debug and output parameters in stunnel.conf.
"buck" <buck@private.mil> wrote in message
news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...[color=blue]
> I have googled and not found anything appropriate. If anyone can supply
> some keywords for my search, please do.
>
> stunnel connects to news.newsguy.com on port 563. How can I know that[/color]
this[color=blue]
> transmission is encrypted?[/color]
By DEFINITION.
D. Stussy wrote:[color=blue]
> "buck" <buck@private.mil> wrote in message
> news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...[color=green]
>> I have googled and not found anything appropriate. If anyone can supply
>> some keywords for my search, please do.
>>
>> stunnel connects to news.newsguy.com on port 563. How can I know that[/color]
> this[color=green]
>> transmission is encrypted?[/color]
>
> By DEFINITION.[/color]
Not quite. SSL allows the NULL cipher, which is no encryption.
Of course, it has to be offered by the server and selected by the
client. I don't know of any admins who enable it on their servers, but
I can't speak authoritatively about all servers everywhere.
Example: Assuming you use Firefox (I use 1.5.0.x, so YMMV), go to
about:config and filter on security.ssl. Notice that there are NULL
encryption options available. (Hopefully they are disabled, but they
exist.)
Example: Apache uses "aNULL" for the algorithm NULL SSL option. It is
also disabled by default, but you can turn it on if you want. (I
believe stunnel uses the same options and defaults.)
Why would you want to use SSL without encryption? I suppose you could
use it for certificate-based client authentication only, without
encryption. I don't know anyone who does, but, hey, if you want, you can.
On 2008-04-15, Allen Kistler <ackistler@oohay.moc> wrote:[color=blue]
>
> Why would you want to use SSL without encryption? I suppose you could
> use it for certificate-based client authentication only, without
> encryption. I don't know anyone who does, but, hey, if you want, you can.[/color]
If you're debugging a remote application that has no cleartext option,
you can use null encryption to be able to sniff the data going over the
wire without having to rewrite the app to allow a cleartext session. I
don't have a good example off the top of my head, but imagine that HTTP
didn't exist, and the only thing your httpd supported was HTTPS. Would
you want to rewrite your httpd to support plaintext HTTP, or would it be
easier to simply use null encryption?
I wonder if the SSL developers themselves use null encryption as part of
their development and testing process.
--keith
--
[email]kkeller-usenet@wombat.san-francisco.ca.us[/email]
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
"Allen Kistler" <ackistler@oohay.moc> wrote in message
news:q1bNj.3916$vF.3700@newssvr21.news.prodigy.net...[color=blue]
> D. Stussy wrote:[color=green]
> > "buck" <buck@private.mil> wrote in message
> > news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...[color=darkred]
> >> I have googled and not found anything appropriate. If anyone can[/color][/color][/color]
supply[color=blue][color=green][color=darkred]
> >> some keywords for my search, please do.
> >>
> >> stunnel connects to news.newsguy.com on port 563. How can I know that[/color]
> > this[color=darkred]
> >> transmission is encrypted?[/color]
> >
> > By DEFINITION.[/color]
>
> Not quite. SSL allows the NULL cipher, which is no encryption.[/color]
Is that really secure? SSL = Secure sockets layer. A NULL cypher may be
permitted but I don't call that secure.
On 16 Apr, 07:35, "D. Stussy" <s...@bde-arc.ampr.org> wrote:[color=blue]
> "Allen Kistler" <ackist...@oohay.moc> wrote in message
>
> news:q1bNj.3916$vF.3700@newssvr21.news.prodigy.net...
>[color=green]
> > D. Stussy wrote:[color=darkred]
> > > "buck" <b...@private.mil> wrote in message
> > >news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
> > >> I have googled and not found anything appropriate. *If anyone can[/color][/color]
> supply[color=green][color=darkred]
> > >> some keywords for my search, please do.[/color][/color]
>[color=green][color=darkred]
> > >> stunnel connects to news.newsguy.com on port 563. *How can I know that
> > > this
> > >> transmission is encrypted?[/color][/color]
>[color=green][color=darkred]
> > > By DEFINITION.[/color][/color]
>[color=green]
> > Not quite. *SSL allows the NULL cipher, which is no encryption.[/color]
>
> Is that really secure? *SSL = Secure sockets layer. *A NULL cypher may be
> permitted but I don't call that secure.[/color]
It's not, but it's exactly what the original poster was asking about.
buck wanted to be sure that his SSL connection was, in fact,
encrypted. A sneaky bastard of an SSL server could, in theory,
negotiate a 'null'' cipher, and that way a connection with a browser
might show a lovely little 'secured' icon but in actuality be
unencrypted.
I don't know if any browsers or stunnel could be misled this way, but
it's a fascinating question.
Keith Keller wrote:[color=blue]
> On 2008-04-15, Allen Kistler <ackistler@oohay.moc> wrote:[color=green]
>> Why would you want to use SSL without encryption? I suppose you could
>> use it for certificate-based client authentication only, without
>> encryption. I don't know anyone who does, but, hey, if you want, you can.[/color]
>
> If you're debugging a remote application that has no cleartext option,
> you can use null encryption to be able to sniff the data going over the
> wire without having to rewrite the app to allow a cleartext session. I
> don't have a good example off the top of my head, but imagine that HTTP
> didn't exist, and the only thing your httpd supported was HTTPS. Would
> you want to rewrite your httpd to support plaintext HTTP, or would it be
> easier to simply use null encryption?
>
> I wonder if the SSL developers themselves use null encryption as part of
> their development and testing process.[/color]
Since it's an allowed option, I hope they test it whether they use it
for anything else or not, eh? The rest makes sense, though.
Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
[color=blue][color=green]
> > Why would you want to use SSL without encryption? I suppose you
> > could use it for certificate-based client authentication only,
> > without encryption. I don't know anyone who does, but, hey, if you
> > want, you can.[/color]
>
> If you're debugging a remote application that has no cleartext option,
> you can use null encryption to be able to sniff the data going over
> the wire without having to rewrite the app to allow a cleartext
> session. I don't have a good example off the top of my head, but
> imagine that HTTP didn't exist, and the only thing your httpd
> supported was HTTPS. Would you want to rewrite your httpd to support
> plaintext HTTP, or would it be easier to simply use null encryption?[/color]
To support HTTPS (HTTP via SSL), a server must support plaintext HTTP in
the first place. HTTPS is not a specialized HTTP-based protocol, but
just HTTP wrapped in SSL.
One valid reason to use SSL weak or null encryption is performance.
Strong encryption costs a lot of CPU power. If secrecy is not
mandatory, one can trade it for speed. Imagine, for example, the local
network of a small- or medium-scale company, where encryption isn't
needed, except for a few special things.
Regards,
Ertugrul.
--
[url]http://ertes.de/[/url]
Nico Kadel-Garcia <nkadel@gmail.com> wrote:
[color=blue][color=green][color=darkred]
> > > Not quite. SSL allows the NULL cipher, which is no encryption.[/color]
> >
> > Is that really secure? SSL = Secure sockets layer. A NULL cypher may
> > be permitted but I don't call that secure.[/color]
>
> It's not, but it's exactly what the original poster was asking about.
> buck wanted to be sure that his SSL connection was, in fact,
> encrypted. A sneaky bastard of an SSL server could, in theory,
> negotiate a 'null'' cipher, and that way a connection with a browser
> might show a lovely little 'secured' icon but in actuality be
> unencrypted.
>
> I don't know if any browsers or stunnel could be misled this way, but
> it's a fascinating question.[/color]
Modern browsers can't. They warn about weak encryption. I don't know,
how stunnel behaves.
Regards,
Ertugrul.
--
[url]http://ertes.de/[/url]
On 16 Apr, 00:40, Allen Kistler <ackist...@oohay.moc> wrote:[color=blue]
> D. Stussy wrote:[color=green]
> > "buck" <b...@private.mil> wrote in message
> >news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...[color=darkred]
> >> How can I know that[/color]
> > this[color=darkred]
> >> transmission is encrypted?[/color][/color]
>[color=green]
> > By DEFINITION.[/color]
>
> Not quite. SSL allows the NULL cipher, which is no encryption.
>[/color]
<snip>
[color=blue]
> Why would you want to use SSL without encryption? I suppose you could
> use it for certificate-based client authentication only, without
> encryption. I don't know anyone who does, but, hey, if you want, you can.[/color]
That's not what the OP asked - he wanted to check it was encrypted. In
Stunnel you can set various levels of debugging info which at some
point would include logging the algortihm negotiated, or you can
configure it to only work with certain types of cipher.
OP - RTFM
C.
Allen Kistler <ackistler@oohay.moc> wrote in
news:7W7Nj.730$26.351@newssvr23.news.prodigy.net:
[color=blue]
> buck wrote:[color=green]
>> I have googled and not found anything appropriate. If anyone can
>> supply some keywords for my search, please do.
>>
>> stunnel connects to news.newsguy.com on port 563. How can I know
>> that this transmission is encrypted?[/color]
>
> 2. Although I haven't ever done it myself, crank up the debug level.
> stunnel comes with its own documentation. I could be better, but
> check out the debug and output parameters in stunnel.conf.[/color]
Cranking up the logging level from notice to info in stunnel says I have
AES encryption. Ordinarily I'd try to (I'm a novice WRT wireshark) verify
that with wireshark (tshark), but since stunnel has been around for a long
time, I think I'll trust it.
Thanks for the tip.
--
buck
On Apr 15, 3:02 pm, buck <b...@private.mil> wrote:[color=blue]
> I have googled and not found anything appropriate. If anyone can supply
> some keywords for my search, please do.
>
> stunnel connects to news.newsguy.com on port 563. How can I know that this
> transmission is encrypted?
> --
> buck[/color]
WireShark is your best bet in this situation. It is very simple to use
and you can easily see if the traffic you are sending via FORM POSTS
are recognized in the stream capture.
- Dominic Salemno