[1762] in WWW Security List Archive
Re: The Netscape security "key": misleading??
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sun Mar 31 16:08:52 1996
From: Adam Shostack <adam@lighthouse.homeport.org>
To: dymmd@source.asset.com
Date: Sun, 31 Mar 1996 13:39:33 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9603291453.AA30639@reuse.asset.com> from "David Robert Dymm" at Mar 29, 96 09:53:19 am
Errors-To: owner-www-security@ns2.rutgers.edu
David Robert Dymm wrote:
| My understanding is that the SSL protocol provides for the ability of the
| browser to encrypt information sent to the server using the server's public
| key. In that sense, the connection is secure. However the link from server
| to browser is still insecure. With the SSL protocol, there is no way to
| send encrypted information from server to browser. But even if this was
You misunderstand SSL. Under SSL, the browser generates a
session key, sends it to the server encrypted with the servers public
key, and then starts sending information encrypted with that session
key. The assumption is that only the server can decrypt the session
key to read the traffic being sent. I have an overview of SSL
available at www.homeport.org/~adam/ssl.html. There are also docs on
Netscape's servers which explain the protocol.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
