sfs8 pt1

[Michael Procter]

On Mon, September 29, 2008 12:59 pm, Charles Lindsey wrote:
> On Fri, 26 Sep 2008 20:08:42 +0100, Dave Howe <DaveHowe@gmx.co.uk> wrote:
>> http://www.novell.com/communities/node/1606/decrypting+ssl+traffic+troubleshoot+nam
>
> I read that page, and failed to understand it. It implies that if you
> operate a browser, which is a _client_ of some server (say your bank), and
> capture all the IP packets during some exchange using https (with RSA
> keys, not DHE ones), then you can (with sufficient effort) recover the
> unencrypted exchanges. But it seems that, at some stage in the process,
> you need to recover some "private key". Whose private key is that? Surely
> not the private key of your bank or of Verisign, as used in generating the
> certificate that was exhibited?

Yes - the key of the server.  The article describes this in the section
'Extracting the Private Key':
"Next, we need to find and extract the private key from the server."

The article is intended for use by people with administrative access to
the server in question, and not simply access to the browser, although
that might be required to disable those pesky DHE variants!

Much of this thread seems to be based around the assumption that the
server should know what the minimum level of protection is acceptable for
the service it delivers.  However, it seems to me that there are times
when the client might choose to require a higher level of protection than
that (an obvious example might be to require DHE for certain sites). 
Whilst it is possible in Firefox (and I assume other browsers) to enable
or disable particular cipher suites, it isn't very straightforward to keep
tweaking the list for different sites.  How do other people manage this in
a practical manner?

Regards,

Michael