What exactly does SSL protect in a web site forum/mail?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I always thought ssl was for banking only but then on a web forum  
that I frequent someone complained that it's not secured by ssl.

Many others said "why do you care?" since they said ssl is only for banking.
One devil's advocate kept saying that ssl also protects more.

So I'm confused.

On the site I have a few things that I'd like to keep protected.
Does ssl protect them?

1. I have a login account name and a password.
2. The site has "internal" private messages.
3. The site has "external" public discussions.

Which of these things are protected by ssl?
And if they're not protected, who can see them?


Re: What exactly does SSL protect in a web site forum/mail?
On Saturday 23 Jan 2016 14:26, Alice J. conveyed the following to  
alt.os.linux...

Quoted text here. Click to load it

If the website supports SSL, then the URL in the browser's address bar  
will show "https://" instead of "http://".  All that does, however, is  
encrypt the traffic between your computer and the website, as Marco  
said.  

Unencrypted traffic can easily be analyzed by way of packet sniffers ?  
in other words, someone could intercept the traffic between your  
computer and the website and could glean your login and your password ?  
and SSL/TLS encryption makes that a lot more difficult.

Now, on account of those private messages, I myself am an administrator  
at a web-based forum, and most forum engines are based upon a PHP front-
end and a MySQL back-end.  Private messages, like the forum threads and  
forum posts themselves, are not stored in any encrypted format ? albeit  
that the server itself may have been set up with an encrypted filesystem  
? but are simply stored in SQL database files.

Hope this was helpful. ;)

--  
= Aragorn =

         http://www.linuxcounter.net - registrant #223157

Re: What exactly does SSL protect in a web site forum/mail?

Quoted text here. Click to load it

SSL "protects" the data in transit between your PC and the server by
encrypting it.  

Once it's on your PC or on the server, the data is protected by whatever
security methods are instituted by the management of the stored data, if
any.  

Many Web sites are quite sloppy about how they store user data, often
leaving userids, passwords and other sensitive data stored with no
encryption.  

How do you protect the data on your own PC?

--  
bert@iphouse.com    St. Paul, MN

Re: What exactly does SSL protect in a web site forum/mail?
On Sat, 23 Jan 2016 16:06:28 +0000, Bert wrote in message
XnsA598674AD7ABCVeebleFetzer@127.0.0.1:

Quoted text here. Click to load it

I don't. But I assume my router is protecting that.
The router has the bulk firewall.
And the router has the passphrase.

Are you saying my neighbors can read my ssid passphrase?

Re: What exactly does SSL protect in a web site forum/mail?
On 2016-01-23 19:52, Alice J. wrote:
Quoted text here. Click to load it

Certainly not.

Somebody can enter the house in your absence and have a look at your
computer. How do you protect the machine? Do you have a hired gun to
protect it? Realistically, are your hard disks fully encrypted?

That's one aspect, you can consider more.

For instance. Anybody in your house can connect an ethernet cable to
your router and immediately gets access to your entire local network,
not needing to find out your WiFi password. Are you using firewalls on
all your local machines, are they kept updated, do you follow secure
practices on all of them?

Particularly, anybody connecting such a cable would be able to listen to
all your web traffic to sites that do not use SSL. Do you live alone in
your house, do you have room mates? They could read it all. Perhaps
sniff your password and pose as you. Perhaps you use that same
login/password on other sites, so they would try whatever site they
think to try. I know people that use the same pin for their bank as for
email...

Quoted text here. Click to load it

Probably not.

--  
Cheers,
       Carlos E.R.

Re: What exactly does SSL protect in a web site forum/mail?
On Sun, 24 Jan 2016 02:21:49 +0100, Carlos E. R. wrote:

Quoted text here. Click to load it


Not by just attaching a cable to an unused router port.

Re: What exactly does SSL protect in a web site forum/mail?



Quoted text here. Click to load it

Yes by just attaching a cable to an unused router port.
There are ways to hijack traffic on a LAN.

Re: What exactly does SSL protect in a web site forum/mail?
On Sun, 24 Jan 2016 20:57:07 +0100, Pascal Hambourg wrote in message
n83aai$15u9$1@saria.nerim.net:

Quoted text here. Click to load it

At this point, I'm trying to understand the BASICS of home
network security when entering logins/passwords into http web sites.

At this point, I would not assume I am being attacked by someone
who is already inside the house.

I want to first understand the basics, which EVERYONE already has.

It seems that half the people told me that the wpa2 from the router
is protecting the http logins and passwords while the other half
said that this is not the case.

It's very important to first nail down what can easily be seen
in wpa2 traffic over the air by neighbors before we jump to  
a threat level that assumes men clad in black are sneaking around
the house inserting cables into my router.

Basics first.

Re: What exactly does SSL protect in a web site forum/mail?
On 2016-01-24 23:23, Alice J. wrote:

Quoted text here. Click to load it

It does, for those that listen on the radio. Not for those that connect
with a cable to your router.

There was also the comment that other radio protection schemes are
easily breakable, like WEP.


Quoted text here. Click to load it

Nobody says they are doing it. We just say that it is possible to do it.

It is like not locking your car or your house. Perhaps nothing happens,
but you are aware that it can happen.

--  
Cheers, Carlos.


Re: What exactly does SSL protect in a web site forum/mail?
Quoted text here. Click to load it

The problem is that you will probably know if someone breaks into your
car or your house. The goods as such that only one person can have them
at a time. Your internet information is not like that. They can be
"stolen" and you will never know it (until for example you find your
bank account emptied and your bank refusing to compensate you because
your password was used. )

Quoted text here. Click to load it

Re: What exactly does SSL protect in a web site forum/mail?
Carlos E.R. wrote in message l51gnc-6nu.ln1@Telcontar.valinor:

Quoted text here. Click to load it

When I am trying to understand things, I don't start with assuming
a black clad burglar is lying in wait next to the router just waiting
to connect a wire to an unused LAN port.  

That's starting at the most preposterous, and working down.
I'd rather start at the most obvious, and work up.

  
Quoted text here. Click to load it

Again, that's starting at the most preposterous which is to say
that there is no encryption (basically) whatsoever.  

I said many times I have WPA2 and we can assume, for now, that
the SSID and passphrase are secure (because that's a totally
separate issue anyway).

Quoted text here. Click to load it

For now, I try to assume that valid people are connecting to
the router (namely me and my children), at least until I understand
how *that* works.

After we validate how the simple wpa2 protection works, then we can  
get complicated and assume black-clad burglars are sneaking around
my router.

The first "adversary" I'm trying to figure out is simply a neighbor  
who can pick off my air wave transmissions with sniffers.

I'm trying to understand what "they" can see.

Quoted text here. Click to load it

I'm aware that Putin himself can sneak into my house to drip  
polonium into my water supply.

But I'd really first rather understand the "normal" system of
what "does" happen before jumping to trying to understand all
the things that can possibly happen.

Mostly, I'm just trying to figure out what happens in the normal
situation where NOBODY who doesn't belong on the network is
connected by wpa2 and where neighbors can easily sniff packets.

What do the neighbors see?
A. Do they see my packets all in the clear?
B. Do they see my packets all scrambled up?

Re: What exactly does SSL protect in a web site forum/mail?
Quoted text here. Click to load it

But you started with the most preposterous statement. "If I only connect
with http and not with https". So why should responders not point out to
you why that is a silly start.

Quoted text here. Click to load it

How in the world is that the most preposterous. WEP IS protecting the
system with encryption. It is commonly used. That it was shit poor
encryption procedure designed by people who had not the slightest clue
about encryption doe not mean there is not encryption.  

Quoted text here. Click to load it

The SSID is always public.  
Quoted text here. Click to load it

Well, since anyone within 10 or 20 meters of your home can also connect,
that is not a terribly valid assumption.  

Quoted text here. Click to load it

Yup. That is one.  


Quoted text here. Click to load it

And you have been told repeatedly.  

Quoted text here. Click to load it

As you have been told about 5 times, IF you use wpa2 they seen encrypted
packets. They may however be able to break your wpa2 encryption (eg
dictionary attacks) and then see everything. And that does not protect
you beyond that router. Since the Comcast lines run to their house as
well, it is possible that they can see all of the traffic your comcast
router puts out to their central office, Especially since, as YOU said,
they are technologically sophisticated.  

Please read what people answer and do not go riding off in a high
dudgeon.



Re: What exactly does SSL protect in a web site forum/mail?

Quoted text here. Click to load it

Just on this point. It SHOULD always be public (i.e. not hidden).
https://en.wikipedia.org/wiki/Network_cloaking#False_Sense_of_Security
See the last paragraph (before the references).

Regards, Dave Hodgins

--  
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

Re: What exactly does SSL protect in a web site forum/mail?
On Tue, 26 Jan 2016 12:55:14 -0500, David W. Hodgins wrote in message
op.ybuxeclsa3w0dxdave@hodgins.homeip.net:
Quoted text here. Click to load it

I had known this already, but I'll summarize that it said that hiding
the ssid is not a security measure.

I think it implied that the ssid is not encrypted (even in wpa2)  
because the ssid has to be "broadcast" in the clear for devices  
to find the router, which is a "probe request" frame which they
indicate happens outside of the wpa2 encryption.

That reference mentions kismet and netstumbler but people
here mentioned wireshark. Which is better for sniffing wifi  
traffic?

The very last sentence of that reference brought new ways to  
attack to light, which is this sentence:
  "Programs that act as fake access points are freely available,  
   and include airbase-ng[12] and Karma.[13]".

So what they're saying is that my GOASKALICE ssid can be faked
by them, and then I would try to connect, and, in doing so, I  
would, I guess, give it my real passphrase I guess. I'll have to
read up how they allow the connection since they won't know my
passphrase in advance.

$ sudo apt-get install airbase-ng karma
Reading package lists... Done
Building dependency tree        
Reading state information... Done
E: Unable to locate package airbase-ng
E: Unable to locate package karma

Re: What exactly does SSL protect in a web site forum/mail?
Quoted text here. Click to load it

Of course it is not encrypted. DEvices also have to "call" the SSID, so
they need to know it to connect in the first place.  

Quoted text here. Click to load it

They simply allow anyone to connect. Ie, they ignore the password
(except for remembering it) and allow you to connect.  

Re: What exactly does SSL protect in a web site forum/mail?
On Tue, 26 Jan 2016 19:21:48 +0000, William Unruh wrote in message
n88h0c$ngi$1@dont-email.me:

Quoted text here. Click to load it

Thanks.

Re: What exactly does SSL protect in a web site forum/mail?
On Tue, 26 Jan 2016 17:28:49 +0000, William Unruh wrote in message
n88ach$oms$1@dont-email.me:

Quoted text here. Click to load it

The web site I want to ask car questions on is bimmerfest and it
doesn't use ssl encryption.

Quoted text here. Click to load it

As of this thread, I have changed both my ssid and my passphrase
so that the combination hash should not be found in rainbow tables.

Quoted text here. Click to load it

I agree that what they can see of my wpa2-encrypted packets is
precisely what I'm trying to better understand.

Quoted text here. Click to load it

Before this thread, I thought the neighbors couldn't see anything
but gibberish of my wpa2 encrypted packets.

Half the people here told me that's true while the other half
said that was not true.

All I want is a straight answer to that question that isn't  
wrong.

Quoted text here. Click to load it

That's what I had thought *before* I asked in this thread.
Thank you for confirming that, if my protection is not broken,
then the "packets" they can pluck out of the air, are gibberish.

Quoted text here. Click to load it

That's a concern, of course, now that all SSIDs are published
thanks to Google cars capturing that information and publishing
it, which means, from what I read, that the wpa2 salt is  
therefore published, which means hash tables will soon be  
available so I have just changed my passphrase to something
which I believe is as unique as I can make it.

Quoted text here. Click to load it

I know. I know. For that, I will need to use Tor or VPN as  
far as I can tell. But even Tor and VPN together don't protect  
me at the final hop.

I have been reading up on Tor and VPN and setting up the  
Tor seems difficult but I have vidalia and privoxy installed
so the rest should be done soon.

Quoted text here. Click to load it

THIS IS MY NEXT BIGGEST CONCERN TO UNDERSTAND!

If I want to see what's on the other end of my modem, what would I  
connect it to? My computer doesn't have a coaxial cable connection.

If a neighbor wants to snoop on the wires from the cable modem to the
Comcast office, can they do it from their laptop?

Quoted text here. Click to load it

I had to look up the word "dudgeon" because I never heard of it
before you.  
- a wood used in making the handles of knives, daggers, etc
- a dagger, knife, etc, with a dudgeon hilt
- anger or resentment (archaic, except in the phrase in high dudgeon)
- a feeling of offense or resentment; anger:  

high dudgeon  
- a feeling of intense indignation (now used only in the phrase `in high dudgeon')

I appreciate your point and the new phrase!


Re: What exactly does SSL protect in a web site forum/mail?
On 2016-01-26 19:26, Alice J. wrote:

Quoted text here. Click to load it

I have not seen any.
Maybe you misunderstood.

Quoted text here. Click to load it

From the link someone posted recently (of 2005 vintage), it is as easy
as connecting directly the modem to the computer directly, and use
suitable software.

http://www.hackerthreads.org/Topic-9677

This assumes that the modem does no routing, but just conversion of
cable shapes and signals.

--  
Cheers, Carlos.

Re: What exactly does SSL protect in a web site forum/mail?
On Tue, 26 Jan 2016 20:08:14 +0100, Carlos E.R. wrote in message
upsknc-lpi.ln1@Telcontar.valinor:

Quoted text here. Click to load it

Probably.  
It wouldn't be the first time, nor the last!
That's why public usenet is so good because someone will correct me!

Quoted text here. Click to load it

I read those two pages, and I tried to download the software but it's
no longer available. Also those pages assumed that something called  
DOCSIS BPI (Baseline Privacy Interface) is turned off.

Looking this up, in my Costco DOCSIS3 modem, BPI is called SEC but
the purpose appears to remain the same, which is to encrypt the  
cable communications.

According to the DOCSYS Wikipedia (https://en.wikipedia.org/wiki/DOCSIS )
  "The intent of the BPI/SEC specifications is to ...
   a. provide cable modem users with data privacy across the cable network
   b. prevent unauthorized modems and users from gaining access

I can only presume that Comcast is smart enough to turn on the SEC  
specification in my modem, but I do not know that they actually did that.





Re: What exactly does SSL protect in a web site forum/mail?
On 2016-01-26 21:09, Alice J. wrote:
Quoted text here. Click to load it

...


I'm not surprised at that :-)

I only did a quick read, but I think that the program was intended as
part of a method to obtain free internet service by illegally connecting
to the cable and posing as some other neighbour whose MAC is valid - not
something I'd be inclined to try >;-)

--  
Cheers,
       Carlos E.R.

Site Timeline