sfs8 pt1

[Charles Lindsey]

On Fri, 26 Sep 2008 20:08:42 +0100, Dave Howe <DaveHowe@gmx.co.uk> wrote:

> I was unable to get apache to accept DHE preferentially - in fact, the
> only way I could get it to accept it at all for IE was to restrict the
> list to *just* DHE schemes.
>
> However, it appears I am the only one who considers this a bad thing.
> note the following:
>
> http://www.novell.com/communities/node/1606/decrypting+ssl+traffic+troubleshoot+nam

I read that page, and failed to understand it. It implies that if you  
operate a browser, which is a _client_ of some server (say your bank), and  
capture all the IP packets during some exchange using https (with RSA  
keys, not DHE ones), then you can (with sufficient effort) recover the  
unencrypted exchanges. But it seems that, at some stage in the process,  
you need to recover some "private key". Whose private key is that? Surely  
not the private key of your bank or of Verisign, as used in generating the  
certificate that was exhibited?

And yet it seems to depend on the identity of that certificate; but it  
also seems to involve capturing some data from the key-management  
facilities of your browser. But surely there are no private keys stored in  
there (lots of public keys, of course). There may or may not be your own  
private keys that you have generated, but in most cases I would expect not.

So how does it work?

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5