pointertovoid Posted May 10, 2016 Share Posted May 10, 2016 Hello everyone and everybody! When I visit an https website where I provide data that must be encrypted (identifiers for instance), who provides the encryption, among my browser and the website? I attach an example with Firefox used to log at Yahoo. I vaguely imagine that the browser (relying possibly on the OS) provides cryptographic services, the webpage tells "please encrypt the user's identifiers" and "I understands these codes and protocols", then the browser looks for a set of codes and protocols spoken on both sides, then they define and exchange some keys and transfer the data. Is that it? Thank you! Link to comment Share on other sites More sharing options...
Tripredacus Posted May 10, 2016 Share Posted May 10, 2016 They both do. They are using a standard method, for example you can see it mentioned in bold where it says Connexion chiffree. The web server may use a specific standard, and the browser supports multiple standards. When the browser goes to the site, it will inform that it will be using x type of connection. The browser understands how to communicate in this way and then the two ends can talk. So it stands to reason that an outdated browser may not work properly, if at all, with a website using a modern form of encryption. This is likely why you hear about some websites outright blocking older browsers from connecting to them, or displaying broken content or a blank screen. Link to comment Share on other sites More sharing options...
pointertovoid Posted May 11, 2016 Author Share Posted May 11, 2016 Thanks Tripredacus! That's clearer. And is there any known weakness in the GCM mode of AES provided by Firefox? I've seen it's a pseudorandom sequence mode (sequence xor plaintext = cyphertext), which is **** difficult to program without introducing weaknesses. For a month, Yahoo uses a new login page, where I first type my identifier, and then the page refreshes and I type my password. So if the pseudorandom sequence is somehow linked between both uses by the same page, for instance if it's identical, the user loses. An attacker knowing the identifier and hearing the connection deduces the pseudorandom sequence then the password. I don't see why programmers for encrypted pages go for pseudorandom sequences. Normal modes like codebook or chained codebook are as easy and not so horribly dangerous. Link to comment Share on other sites More sharing options...
pointertovoid Posted August 16, 2016 Author Share Posted August 16, 2016 More worries: Paypal has switched to a stream cipher for its login. It's not exactly the GCM mode but one said to give a better guarantee that the initial vector is unique, oh good. Knowing that A stream cipher is inherently more dangerous than the block mode or chained block; It's obviously as slow as a block mode - whatever nonsense Wiki repeats about AES, it needs one block encryption per data block too, I just wonder WHY so many programmers switch to stream ciphers, including now Paypal which had made sensible choices up to now and had been virtually immune of the attacks that broke Wanadoo, Yahoo and the others. Or do they all give in to the orders of gov' agencies that want to spy everything by collapsing the individual and collective resilience to any attack, including a foreign one? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now