Questions tagged [tls]
SSL (Secure Sockets Layer) and/or TLS (Transport Layer Security)
1,119
questions
1289
votes
3
answers
691k
views
How does SSL/TLS work?
How does SSL work? I just realised we don't actually have a definitive answer here, and it's something worth covering.
I'd like to see details in terms of:
A high level description of the protocol.
...
170
votes
13
answers
107k
views
https security - should password be hashed server-side or client-side?
I am building a web application which requires users to login. All communication goes through https. I am using bcrypt to hash passwords.
I am facing a dilemma - I used to think it is safer to make a ...
94
votes
4
answers
87k
views
SSL Certificate framework 101: How does the browser verify the validity of a given server certificate?
(I have a basic understanding of public/private key, hashing, digital signatures... I have been searching online & stack forums last couple days but cannot seem to find a satisfactory answer.)
...
372
votes
6
answers
343k
views
What is certificate pinning?
I'm superficially familiar with SSL and what certs do. Recently I saw some discussion on cert pinning but there wasn't a definition. A DDG search didn't turn up anything useful. What is certificate ...
420
votes
14
answers
69k
views
How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it?
I've often heard it said that if you're logging in to a website - a bank, GMail, whatever - via HTTPS, that the information you transmit is safe from snooping by 3rd parties. I've always been a little ...
219
votes
7
answers
219k
views
Does https prevent man in the middle attacks by proxy server?
There is a desktop client A connecting to website W in a https connection
A --> W
Somehow between A and W, there is a proxy G.
A --> G --> W
In this case, will G be able to get the ...
106
votes
5
answers
148k
views
How does SSLstrip work?
I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works.
A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in ...
50
votes
11
answers
5k
views
Does hashing a file from an unsigned website give a false sense of security?
Consider this. Many websites with software downloads also make available MD5 or SHA1 hashes, for users to verify the integrity of the downloaded files. However, few of these sites actually use HTTPS ...
79
votes
3
answers
12k
views
Are URLs viewed during HTTPS transactions to one or more websites from a single IP distinguishable?
For example, say the following are HTTPS URLs to two websites by one IP over 5 mins:
"A.com/1", "A.com/2", "A.com/3", "B.com/1", "B.com/2".
Would monitoring of packets reveal:
nothing,
reveal only ...
116
votes
18
answers
20k
views
Does an established HTTPS connection mean a line is really secure?
From the view of somebody offering a web application, when somebody connects with TLS (https) to our service and submits the correct authentication data, is it safe to transmit all sensitive data over ...
84
votes
6
answers
73k
views
Does SSL/TLS (https) hide the urls being accessed [duplicate]
Suppose I type this in my browser
https://www.mysite.com/getsecret?username=alice&password=mysecret
and an attacker is watching all traffic from me to my ISP.
What information is protected by ...
97
votes
9
answers
110k
views
Can my company see what HTTPS sites I went to?
At work my company uses internet monitoring software (Websense). I know if I visit a https ssl-encrypted site (such as https://secure.example.com) they can't see what I'm doing on the site since all ...
82
votes
13
answers
26k
views
What are the pros and cons of site wide SSL (https)?
What are the pros and cons of encrypting all HTTP traffic for the whole site through SSL, as opposed to SSL on just the login page?
23
votes
4
answers
7k
views
If the public key can't be used for decrypting something encrypted by the private key, then how do digital signatures work?
I'm learning asymmetric encryption in the use case of ssl/tls protocol.
I can understand that the public key (like a padlock) can encrypt (lock)
something and only the private key can decrypt (open)...
90
votes
12
answers
19k
views
How feasible is it for a CA to be hacked? Which default trusted root certificates should I remove?
This question has been revised & clarified significantly since the original version.
If we look at each trusted certificate in my Trusted Root store, how much should I trust them?
What factors ...