How to determine if SSL is encrypted?

I have googled and not found anything appropriate. If anyone can supply
some keywords for my search, please do.

stunnel connects to news.newsguy.com on port 563. How can I know that this
transmission is encrypted?
--
buck

On 2008-04-15, buck <buck@private.mil> wrote:
>
>
> I have googled and not found anything appropriate. If anyone can supply
> some keywords for my search, please do.
>
> stunnel connects to news.newsguy.com on port 563. How can I know that this
> transmission is encrypted?
> --
> buck

I think SSL is encrypted by definition. You could use a packet sniffer
to check.

buck wrote:
> I have googled and not found anything appropriate. If anyone can supply
> some keywords for my search, please do.
>
> stunnel connects to news.newsguy.com on port 563. How can I know that this
> transmission is encrypted?

Two options come to mind.

1. Do a packet capture with tcpdump, wireshark, etc., and watch the SSL
encryption type get negotiated. That part's always in the clear.

2. Although I haven't ever done it myself, crank up the debug level.
stunnel comes with its own documentation. I could be better, but check
out the debug and output parameters in stunnel.conf.

"buck" <buck@private.mil> wrote in message
news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
> I have googled and not found anything appropriate. If anyone can supply
> some keywords for my search, please do.
>
> stunnel connects to news.newsguy.com on port 563. How can I know that
this
> transmission is encrypted?

By DEFINITION.

D. Stussy wrote:
> "buck" <buck@private.mil> wrote in message
> news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
>> I have googled and not found anything appropriate. If anyone can supply
>> some keywords for my search, please do.
>>
>> stunnel connects to news.newsguy.com on port 563. How can I know that
> this
>> transmission is encrypted?
>
> By DEFINITION.

Not quite. SSL allows the NULL cipher, which is no encryption.

Of course, it has to be offered by the server and selected by the
client. I don't know of any admins who enable it on their servers, but
I can't speak authoritatively about all servers everywhere.

Example: Assuming you use Firefox (I use 1.5.0.x, so YMMV), go to
about:config and filter on security.ssl. Notice that there are NULL
encryption options available. (Hopefully they are disabled, but they
exist.)

Example: Apache uses "aNULL" for the algorithm NULL SSL option. It is
also disabled by default, but you can turn it on if you want. (I
believe stunnel uses the same options and defaults.)

Why would you want to use SSL without encryption? I suppose you could
use it for certificate-based client authentication only, without
encryption. I don't know anyone who does, but, hey, if you want, you can.

On 2008-04-15, Allen Kistler <ackistler@oohay.moc> wrote:
>
> Why would you want to use SSL without encryption? I suppose you could
> use it for certificate-based client authentication only, without
> encryption. I don't know anyone who does, but, hey, if you want, you can.

If you're debugging a remote application that has no cleartext option,
you can use null encryption to be able to sniff the data going over the
wire without having to rewrite the app to allow a cleartext session. I
don't have a good example off the top of my head, but imagine that HTTP
didn't exist, and the only thing your httpd supported was HTTPS. Would
you want to rewrite your httpd to support plaintext HTTP, or would it be
easier to simply use null encryption?

I wonder if the SSL developers themselves use null encryption as part of
their development and testing process.

--keith


--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

"Allen Kistler" <ackistler@oohay.moc> wrote in message
news:q1bNj.3916$vF.3700@newssvr21.news.prodigy.net ...
> D. Stussy wrote:
> > "buck" <buck@private.mil> wrote in message
> > news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81...
> >> I have googled and not found anything appropriate. If anyone can
supply
> >> some keywords for my search, please do.
> >>
> >> stunnel connects to news.newsguy.com on port 563. How can I know that
> > this
> >> transmission is encrypted?
> >
> > By DEFINITION.
>
> Not quite. SSL allows the NULL cipher, which is no encryption.

Is that really secure? SSL = Secure sockets layer. A NULL cypher may be
permitted but I don't call that secure.

On 16 Apr, 07:35, "D. Stussy" <s...@bde-arc.ampr.org> wrote:
> "Allen Kistler" <ackist...@oohay.moc> wrote in message
>
> news:q1bNj.3916$vF.3700@newssvr21.news.prodigy.net ...
>
> > D. Stussy wrote:
> > > "buck" <b...@private.mil> wrote in message
> > >news:Xns9A817A6F1EBACbuckprivatemil@64.209.0.81.. .
> > >> I have googled and not found anything appropriate. *If anyone can
> supply
> > >> some keywords for my search, please do.
>
> > >> stunnel connects to news.newsguy.com on port 563. *How can I know that
> > > this
> > >> transmission is encrypted?
>
> > > By DEFINITION.
>
> > Not quite. *SSL allows the NULL cipher, which is no encryption.
>
> Is that really secure? *SSL = Secure sockets layer. *A NULL cypher may be
> permitted but I don't call that secure.

It's not, but it's exactly what the original poster was asking about.
buck wanted to be sure that his SSL connection was, in fact,
encrypted. A sneaky bastard of an SSL server could, in theory,
negotiate a 'null'' cipher, and that way a connection with a browser
might show a lovely little 'secured' icon but in actuality be
unencrypted.

I don't know if any browsers or stunnel could be misled this way, but
it's a fascinating question.

Keith Keller wrote:
> On 2008-04-15, Allen Kistler <ackistler@oohay.moc> wrote:
>> Why would you want to use SSL without encryption? I suppose you could
>> use it for certificate-based client authentication only, without
>> encryption. I don't know anyone who does, but, hey, if you want, you can.
>
> If you're debugging a remote application that has no cleartext option,
> you can use null encryption to be able to sniff the data going over the
> wire without having to rewrite the app to allow a cleartext session. I
> don't have a good example off the top of my head, but imagine that HTTP
> didn't exist, and the only thing your httpd supported was HTTPS. Would
> you want to rewrite your httpd to support plaintext HTTP, or would it be
> easier to simply use null encryption?
>
> I wonder if the SSL developers themselves use null encryption as part of
> their development and testing process.

Since it's an allowed option, I hope they test it whether they use it
for anything else or not, eh? The rest makes sense, though.

Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:

> > Why would you want to use SSL without encryption? I suppose you
> > could use it for certificate-based client authentication only,
> > without encryption. I don't know anyone who does, but, hey, if you
> > want, you can.
>
> If you're debugging a remote application that has no cleartext option,
> you can use null encryption to be able to sniff the data going over
> the wire without having to rewrite the app to allow a cleartext
> session. I don't have a good example off the top of my head, but
> imagine that HTTP didn't exist, and the only thing your httpd
> supported was HTTPS. Would you want to rewrite your httpd to support
> plaintext HTTP, or would it be easier to simply use null encryption?

To support HTTPS (HTTP via SSL), a server must support plaintext HTTP in
the first place. HTTPS is not a specialized HTTP-based protocol, but
just HTTP wrapped in SSL.

One valid reason to use SSL weak or null encryption is performance.
Strong encryption costs a lot of CPU power. If secrecy is not
mandatory, one can trade it for speed. Imagine, for example, the local
network of a small- or medium-scale company, where encryption isn't
needed, except for a few special things.


Regards,
Ertugrul.


--
http://ertes.de/