How to determine if SSL is encrypted? - Security

This is a discussion on How to determine if SSL is encrypted? - Security ; I have googled and not found anything appropriate. If anyone can supply some keywords for my search, please do. stunnel connects to news.newsguy.com on port 563. How can I know that this transmission is encrypted? -- buck...

+ Reply to Thread
Results 1 to 13 of 13

Thread: How to determine if SSL is encrypted?

  1. How to determine if SSL is encrypted?

    I have googled and not found anything appropriate. If anyone can supply
    some keywords for my search, please do.

    stunnel connects to news.newsguy.com on port 563. How can I know that this
    transmission is encrypted?
    --
    buck

  2. Re: How to determine if SSL is encrypted?

    buck wrote:
    > I have googled and not found anything appropriate. If anyone can supply
    > some keywords for my search, please do.
    >
    > stunnel connects to news.newsguy.com on port 563. How can I know that this
    > transmission is encrypted?


    Two options come to mind.

    1. Do a packet capture with tcpdump, wireshark, etc., and watch the SSL
    encryption type get negotiated. That part's always in the clear.

    2. Although I haven't ever done it myself, crank up the debug level.
    stunnel comes with its own documentation. I could be better, but check
    out the debug and output parameters in stunnel.conf.

  3. Re: How to determine if SSL is encrypted?

    "buck" wrote in message
    news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
    > I have googled and not found anything appropriate. If anyone can supply
    > some keywords for my search, please do.
    >
    > stunnel connects to news.newsguy.com on port 563. How can I know that

    this
    > transmission is encrypted?


    By DEFINITION.



  4. Re: How to determine if SSL is encrypted?

    D. Stussy wrote:
    > "buck" wrote in message
    > news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
    >> I have googled and not found anything appropriate. If anyone can supply
    >> some keywords for my search, please do.
    >>
    >> stunnel connects to news.newsguy.com on port 563. How can I know that

    > this
    >> transmission is encrypted?

    >
    > By DEFINITION.


    Not quite. SSL allows the NULL cipher, which is no encryption.

    Of course, it has to be offered by the server and selected by the
    client. I don't know of any admins who enable it on their servers, but
    I can't speak authoritatively about all servers everywhere.

    Example: Assuming you use Firefox (I use 1.5.0.x, so YMMV), go to
    about:config and filter on security.ssl. Notice that there are NULL
    encryption options available. (Hopefully they are disabled, but they
    exist.)

    Example: Apache uses "aNULL" for the algorithm NULL SSL option. It is
    also disabled by default, but you can turn it on if you want. (I
    believe stunnel uses the same options and defaults.)

    Why would you want to use SSL without encryption? I suppose you could
    use it for certificate-based client authentication only, without
    encryption. I don't know anyone who does, but, hey, if you want, you can.

  5. Re: How to determine if SSL is encrypted?

    On 2008-04-15, Allen Kistler wrote:
    >
    > Why would you want to use SSL without encryption? I suppose you could
    > use it for certificate-based client authentication only, without
    > encryption. I don't know anyone who does, but, hey, if you want, you can.


    If you're debugging a remote application that has no cleartext option,
    you can use null encryption to be able to sniff the data going over the
    wire without having to rewrite the app to allow a cleartext session. I
    don't have a good example off the top of my head, but imagine that HTTP
    didn't exist, and the only thing your httpd supported was HTTPS. Would
    you want to rewrite your httpd to support plaintext HTTP, or would it be
    easier to simply use null encryption?

    I wonder if the SSL developers themselves use null encryption as part of
    their development and testing process.

    --keith


    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  6. Re: How to determine if SSL is encrypted?

    "Allen Kistler" wrote in message
    news:q1bNj.3916$vF.3700@newssvr21.news.prodigy.net ...
    > D. Stussy wrote:
    > > "buck" wrote in message
    > > news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
    > >> I have googled and not found anything appropriate. If anyone can

    supply
    > >> some keywords for my search, please do.
    > >>
    > >> stunnel connects to news.newsguy.com on port 563. How can I know that

    > > this
    > >> transmission is encrypted?

    > >
    > > By DEFINITION.

    >
    > Not quite. SSL allows the NULL cipher, which is no encryption.


    Is that really secure? SSL = Secure sockets layer. A NULL cypher may be
    permitted but I don't call that secure.



  7. Re: How to determine if SSL is encrypted?

    On 16 Apr, 07:35, "D. Stussy" wrote:
    > "Allen Kistler" wrote in message
    >
    > news:q1bNj.3916$vF.3700@newssvr21.news.prodigy.net ...
    >
    > > D. Stussy wrote:
    > > > "buck" wrote in message
    > > >news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
    > > >> I have googled and not found anything appropriate. *If anyone can

    > supply
    > > >> some keywords for my search, please do.

    >
    > > >> stunnel connects to news.newsguy.com on port 563. *How can I know that
    > > > this
    > > >> transmission is encrypted?

    >
    > > > By DEFINITION.

    >
    > > Not quite. *SSL allows the NULL cipher, which is no encryption.

    >
    > Is that really secure? *SSL = Secure sockets layer. *A NULL cypher may be
    > permitted but I don't call that secure.


    It's not, but it's exactly what the original poster was asking about.
    buck wanted to be sure that his SSL connection was, in fact,
    encrypted. A sneaky bastard of an SSL server could, in theory,
    negotiate a 'null'' cipher, and that way a connection with a browser
    might show a lovely little 'secured' icon but in actuality be
    unencrypted.

    I don't know if any browsers or stunnel could be misled this way, but
    it's a fascinating question.

  8. Re: How to determine if SSL is encrypted?

    Keith Keller wrote:
    > On 2008-04-15, Allen Kistler wrote:
    >> Why would you want to use SSL without encryption? I suppose you could
    >> use it for certificate-based client authentication only, without
    >> encryption. I don't know anyone who does, but, hey, if you want, you can.

    >
    > If you're debugging a remote application that has no cleartext option,
    > you can use null encryption to be able to sniff the data going over the
    > wire without having to rewrite the app to allow a cleartext session. I
    > don't have a good example off the top of my head, but imagine that HTTP
    > didn't exist, and the only thing your httpd supported was HTTPS. Would
    > you want to rewrite your httpd to support plaintext HTTP, or would it be
    > easier to simply use null encryption?
    >
    > I wonder if the SSL developers themselves use null encryption as part of
    > their development and testing process.


    Since it's an allowed option, I hope they test it whether they use it
    for anything else or not, eh? The rest makes sense, though.

  9. Re: How to determine if SSL is encrypted?

    Keith Keller wrote:

    > > Why would you want to use SSL without encryption? I suppose you
    > > could use it for certificate-based client authentication only,
    > > without encryption. I don't know anyone who does, but, hey, if you
    > > want, you can.

    >
    > If you're debugging a remote application that has no cleartext option,
    > you can use null encryption to be able to sniff the data going over
    > the wire without having to rewrite the app to allow a cleartext
    > session. I don't have a good example off the top of my head, but
    > imagine that HTTP didn't exist, and the only thing your httpd
    > supported was HTTPS. Would you want to rewrite your httpd to support
    > plaintext HTTP, or would it be easier to simply use null encryption?


    To support HTTPS (HTTP via SSL), a server must support plaintext HTTP in
    the first place. HTTPS is not a specialized HTTP-based protocol, but
    just HTTP wrapped in SSL.

    One valid reason to use SSL weak or null encryption is performance.
    Strong encryption costs a lot of CPU power. If secrecy is not
    mandatory, one can trade it for speed. Imagine, for example, the local
    network of a small- or medium-scale company, where encryption isn't
    needed, except for a few special things.


    Regards,
    Ertugrul.


    --
    http://ertes.de/


  10. Re: How to determine if SSL is encrypted?

    Nico Kadel-Garcia wrote:

    > > > Not quite. SSL allows the NULL cipher, which is no encryption.

    > >
    > > Is that really secure? SSL = Secure sockets layer. A NULL cypher may
    > > be permitted but I don't call that secure.

    >
    > It's not, but it's exactly what the original poster was asking about.
    > buck wanted to be sure that his SSL connection was, in fact,
    > encrypted. A sneaky bastard of an SSL server could, in theory,
    > negotiate a 'null'' cipher, and that way a connection with a browser
    > might show a lovely little 'secured' icon but in actuality be
    > unencrypted.
    >
    > I don't know if any browsers or stunnel could be misled this way, but
    > it's a fascinating question.


    Modern browsers can't. They warn about weak encryption. I don't know,
    how stunnel behaves.


    Regards,
    Ertugrul.


    --
    http://ertes.de/


  11. Re: How to determine if SSL is encrypted?

    On 16 Apr, 00:40, Allen Kistler wrote:
    > D. Stussy wrote:
    > > "buck" wrote in message
    > >news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
    > >> How can I know that

    > > this
    > >> transmission is encrypted?

    >
    > > By DEFINITION.

    >
    > Not quite. SSL allows the NULL cipher, which is no encryption.
    >



    > Why would you want to use SSL without encryption? I suppose you could
    > use it for certificate-based client authentication only, without
    > encryption. I don't know anyone who does, but, hey, if you want, you can.


    That's not what the OP asked - he wanted to check it was encrypted. In
    Stunnel you can set various levels of debugging info which at some
    point would include logging the algortihm negotiated, or you can
    configure it to only work with certain types of cipher.

    OP - RTFM

    C.

  12. Re: How to determine if SSL is encrypted? SOLVED

    Allen Kistler wrote in
    news:7W7Nj.730$26.351@newssvr23.news.prodigy.net:

    > buck wrote:
    >> I have googled and not found anything appropriate. If anyone can
    >> supply some keywords for my search, please do.
    >>
    >> stunnel connects to news.newsguy.com on port 563. How can I know
    >> that this transmission is encrypted?

    >
    > 2. Although I haven't ever done it myself, crank up the debug level.
    > stunnel comes with its own documentation. I could be better, but
    > check out the debug and output parameters in stunnel.conf.


    Cranking up the logging level from notice to info in stunnel says I have
    AES encryption. Ordinarily I'd try to (I'm a novice WRT wireshark) verify
    that with wireshark (tshark), but since stunnel has been around for a long
    time, I think I'll trust it.

    Thanks for the tip.
    --
    buck

  13. Re: How to determine if SSL is encrypted?

    On Apr 15, 3:02 pm, buck wrote:
    > I have googled and not found anything appropriate. If anyone can supply
    > some keywords for my search, please do.
    >
    > stunnel connects to news.newsguy.com on port 563. How can I know that this
    > transmission is encrypted?
    > --
    > buck


    WireShark is your best bet in this situation. It is very simple to use
    and you can easily see if the traffic you are sending via FORM POSTS
    are recognized in the stream capture.

    - Dominic Salemno

+ Reply to Thread