Re: encrypting a form's action URL with HTTPS link
On 10/23/2003 05:33 PM Punjabi, Naveen K wrote: Hello Adam, Well yes, in case of SSL (secure socket Layer) all your form content along with the page header will go in an encrypted format. If you want to know in detail how SSL works then here goes the entire explanation SSL is based on the Public Key crypto system with following steps 1. When you type an SSL URL, the browser sends a hello message to the server. 2. The server then sends its own Certificate and a random nonce encrypted with its public Key. 3. The browser gets the Server certificate. Verifies it. Gets the public Key from the certificate and authenticates the server 4. The client then makes an MASTER KEY and encrypts it with the server public key. It sends its own certificate to the server. And also a nonce encrypted with its own public key. 5. Now server takes the client certificate. Verifies it. Gets the public key of client from the certificate and authenticates the client. 6. Now the server knows the client public key, so it just decrypts the encrypted Master Key. this master key then becomes the secret key for further transactions between the client and server. Thanks for the excellent run-down, Naveen. regards Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: encrypting a form's action URL with HTTPS link
Hello Adam, Well yes, in case of SSL (secure socket Layer) all your form content along with the page header will go in an encrypted format. If you want to know in detail how SSL works then here goes the entire explanation SSL is based on the Public Key crypto system with following steps 1. When you type an SSL URL, the browser sends a hello message to the server. 2. The server then sends its own Certificate and a random nonce encrypted with its public Key. 3. The browser gets the Server certificate. Verifies it. Gets the public Key from the certificate and authenticates the server 4. The client then makes an MASTER KEY and encrypts it with the server public key. It sends its own certificate to the server. And also a nonce encrypted with its own public key. 5. Now server takes the client certificate. Verifies it. Gets the public key of client from the certificate and authenticates the client. 6. Now the server knows the client public key, so it just decrypts the encrypted Master Key. this master key then becomes the secret key for further transactions between the client and server. Naveen Punjabi USC, Computer Science http://www-scf.usc.edu/~npunjabi -Original Message- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 7:59 PM To: [EMAIL PROTECTED] Subject: Re: encrypting a form's action URL with HTTPS link Adam Hardy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All, I am trying to work out whether my form submission is sent encrypted in SSL or not. If I code my form like this: form method=POST action=https://localhost:8443/sslform; will it actually be encrypted? Yes. When I click submit, the browser pops up a certificate dialog box (since I'm not using verisign) and then the message that I'm visiting a secure form. This makes me think that the request has been sent unencrypted first to the server, which has responded in SSL with the certificate. Is that so? No. All of that traffic is the SSL-handshake between your browser and Tomcat. Your browser won't send the actual request to Tomcat until after all of the popups. Thanks Adam PS is there a tool like wget or perhaps a way of using wget, where I can specify form elements in a request and see the contents config of the server's response? -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: encrypting a form's action URL with HTTPS link
Forgot to mention one thing..Yeah the initial request goes unencrypted..:) but its just a hello message..no sensitive data in it -Original Message- From: Punjabi, Naveen K Sent: Thursday, October 23, 2003 8:33 AM To: Tomcat Users List Subject: RE: encrypting a form's action URL with HTTPS link Hello Adam, Well yes, in case of SSL (secure socket Layer) all your form content along with the page header will go in an encrypted format. If you want to know in detail how SSL works then here goes the entire explanation SSL is based on the Public Key crypto system with following steps 1. When you type an SSL URL, the browser sends a hello message to the server. 2. The server then sends its own Certificate and a random nonce encrypted with its public Key. 3. The browser gets the Server certificate. Verifies it. Gets the public Key from the certificate and authenticates the server 4. The client then makes an MASTER KEY and encrypts it with the server public key. It sends its own certificate to the server. And also a nonce encrypted with its own public key. 5. Now server takes the client certificate. Verifies it. Gets the public key of client from the certificate and authenticates the client. 6. Now the server knows the client public key, so it just decrypts the encrypted Master Key. this master key then becomes the secret key for further transactions between the client and server. Naveen Punjabi USC, Computer Science http://www-scf.usc.edu/~npunjabi -Original Message- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 7:59 PM To: [EMAIL PROTECTED] Subject: Re: encrypting a form's action URL with HTTPS link Adam Hardy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All, I am trying to work out whether my form submission is sent encrypted in SSL or not. If I code my form like this: form method=POST action=https://localhost:8443/sslform; will it actually be encrypted? Yes. When I click submit, the browser pops up a certificate dialog box (since I'm not using verisign) and then the message that I'm visiting a secure form. This makes me think that the request has been sent unencrypted first to the server, which has responded in SSL with the certificate. Is that so? No. All of that traffic is the SSL-handshake between your browser and Tomcat. Your browser won't send the actual request to Tomcat until after all of the popups. Thanks Adam PS is there a tool like wget or perhaps a way of using wget, where I can specify form elements in a request and see the contents config of the server's response? -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: encrypting a form's action URL with HTTPS link
Forgot to mention one thing :).. Yeah, the initial request goes unencrypted. But then its just a Hello message, There's no sensitive information in it. Naveen Punjabi USC, Computer Science, http://www-scf.usc.edu/~npunjabi -Original Message- From: Punjabi, Naveen K Sent: Thursday, October 23, 2003 8:33 AM To: Tomcat Users List Subject: RE: encrypting a form's action URL with HTTPS link Hello Adam, Well yes, in case of SSL (secure socket Layer) all your form content along with the page header will go in an encrypted format. If you want to know in detail how SSL works then here goes the entire explanation SSL is based on the Public Key crypto system with following steps 1. When you type an SSL URL, the browser sends a hello message to the server. 2. The server then sends its own Certificate and a random nonce encrypted with its public Key. 3. The browser gets the Server certificate. Verifies it. Gets the public Key from the certificate and authenticates the server 4. The client then makes an MASTER KEY and encrypts it with the server public key. It sends its own certificate to the server. And also a nonce encrypted with its own public key. 5. Now server takes the client certificate. Verifies it. Gets the public key of client from the certificate and authenticates the client. 6. Now the server knows the client public key, so it just decrypts the encrypted Master Key. this master key then becomes the secret key for further transactions between the client and server. Naveen Punjabi USC, Computer Science http://www-scf.usc.edu/~npunjabi -Original Message- From: Bill Barker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 7:59 PM To: [EMAIL PROTECTED] Subject: Re: encrypting a form's action URL with HTTPS link Adam Hardy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All, I am trying to work out whether my form submission is sent encrypted in SSL or not. If I code my form like this: form method=POST action=https://localhost:8443/sslform; will it actually be encrypted? Yes. When I click submit, the browser pops up a certificate dialog box (since I'm not using verisign) and then the message that I'm visiting a secure form. This makes me think that the request has been sent unencrypted first to the server, which has responded in SSL with the certificate. Is that so? No. All of that traffic is the SSL-handshake between your browser and Tomcat. Your browser won't send the actual request to Tomcat until after all of the popups. Thanks Adam PS is there a tool like wget or perhaps a way of using wget, where I can specify form elements in a request and see the contents config of the server's response? -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: encrypting a form's action URL with HTTPS link
Naveen/Adam, Well yes, in case of SSL (secure socket Layer) all your form content along with the page header will go in an encrypted format. Of note is that the URL itself is *not* encrypted, although everything else is. So, be careful that you specify your HTTPS form submissions as being POST instead of GET; otherwise your form data will go into the (unencrypted) URL. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: encrypting a form's action URL with HTTPS link
Actually URLs are. You are using an SSLSocket. HTTPS can't control that fact. Your URL using a GET is usually displayed in a browser, so some people have this misconception. So, yes it's all encrypted. Wade -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 5:38 PM To: Tomcat Users List Subject: Re: encrypting a form's action URL with HTTPS link Naveen/Adam, Well yes, in case of SSL (secure socket Layer) all your form content along with the page header will go in an encrypted format. Of note is that the URL itself is *not* encrypted, although everything else is. So, be careful that you specify your HTTPS form submissions as being POST instead of GET; otherwise your form data will go into the (unencrypted) URL. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: encrypting a form's action URL with HTTPS link
Wade, Actually URLs are. You are using an SSLSocket. Oh, right. Sorry, I had my head temporarily in, uh, a hole in the ground :) My paranoia comes from URLs sometimes being forwarded after decryption, say, behind a firewall. Apache, for one, logs URLs to the access log if configured to do so, so your URL might end up being recorded. That's bad news if there's sensitive data on a machine that gets compromised. Sorry for the confusion: URLs across SSL are definately encrypted. Thanks for the correction. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: encrypting a form's action URL with HTTPS link
PS is there a tool like wget or perhaps a way of using wget, where I can specify form elements in a request and see the contents config of the server's response? You might want to look at cURL, http://curl.haxx.se/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
encrypting a form's action URL with HTTPS link
Hi All, I am trying to work out whether my form submission is sent encrypted in SSL or not. If I code my form like this: form method=POST action=https://localhost:8443/sslform; will it actually be encrypted? When I click submit, the browser pops up a certificate dialog box (since I'm not using verisign) and then the message that I'm visiting a secure form. This makes me think that the request has been sent unencrypted first to the server, which has responded in SSL with the certificate. Is that so? Thanks Adam PS is there a tool like wget or perhaps a way of using wget, where I can specify form elements in a request and see the contents config of the server's response? -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: encrypting a form's action URL with HTTPS link
Adam Hardy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All, I am trying to work out whether my form submission is sent encrypted in SSL or not. If I code my form like this: form method=POST action=https://localhost:8443/sslform; will it actually be encrypted? Yes. When I click submit, the browser pops up a certificate dialog box (since I'm not using verisign) and then the message that I'm visiting a secure form. This makes me think that the request has been sent unencrypted first to the server, which has responded in SSL with the certificate. Is that so? No. All of that traffic is the SSL-handshake between your browser and Tomcat. Your browser won't send the actual request to Tomcat until after all of the popups. Thanks Adam PS is there a tool like wget or perhaps a way of using wget, where I can specify form elements in a request and see the contents config of the server's response? -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
