-1

I have a little doubt on using HSTS, as per this video, once HSTS is implemented, all the URLs will be going in HTTPS, but as we all know in using SSL we need pre-specified encryption algorithms and key exchanges.

My doubt is since the first request is implemented with HTTPS so would they be using same algorithms and keys as specified in previous connection session, or they how would it go about?

Anders
  • 65,582
  • 24
  • 185
  • 221
Saurabh
  • 1
  • 1
  • 3
    As per your video - is this a copied support request? Please could you clarify your question (click edit to do this) - thanks. – SilverlightFox May 12 '15 at 11:15
  • Hi silverlightfox , my doubt is that while establishing HTTPS connection, you need to exchange the certificate and agree on an encryption algorithm to carry out further communication,this happens over HTTP and once the keys are shared and algorithms are decided further data will be encrypted but since in HSTS all data goes encrypted from the first request itself , so the client and server are using the algorithms and keys as decided in previous HTTPS session or how it works, how can the first request be encrypted without sharing the keys, hope I am clear now. Thanks – Saurabh May 12 '15 at 11:43
  • possible duplicate of How does SSL/TLS work? – schroeder May 12 '15 at 17:11

1 Answers1

2

this happens over HTTP and once the keys are shared and algorithms are decided further data will be encrypted but since in HSTS all data goes encrypted from the first request itself , so the client and server are using the algorithms and keys as decided in previous HTTPS session or how it works, how can the first request be encrypted without sharing the keys

It still uses the HTTPS service to negotiate SSL versions, ciphers and encryption keys. There is no requirement to have a plain HTTP service listening on your server.

HSTS will simply force the browser to "remember" not to use plain HTTP on a domain - it does not affect the SSL handshake.

SilverlightFox
  • 34,178
  • 6
  • 73
  • 190
  • This comment on the question. – SilverlightFox May 12 '15 at 17:34
  • Hi SilverlightFox, is it is using HTTPS to negotiate SSL version then data must be encrypted right from the first request , how the server will decrypt the data unless they dont have any shared key – Saurabh May 12 '15 at 20:42
  • @saur, the data is only encrypted after the handshake. – SilverlightFox May 12 '15 at 20:44
  • @silverlight if data is encrypted after handshake then how the first request is using HTTPS, without certificate sharing – Saurabh May 12 '15 at 20:53
  • @Mike Ounsworth you look more intrested in finding the source of the quote then understanding it, so Happy Hunting, keep finding (y) – Saurabh May 12 '15 at 20:54
  • @saur the first request begins the handshake. – SilverlightFox May 12 '15 at 20:56
  • @SilverlightFox, if the first request begins handshake, how the data in encrypted, if u use wireshark u will observe the first request itself goes encrypted. – Saurabh May 12 '15 at 20:58
  • @Saurabh The first request is not encrypted, and that's fine. Go look up the SSL Handshake, all your questions will be answered. – Mike Ounsworth May 12 '15 at 20:59
  • @MikeOunsworth, I had asked the above question to a member in OWASP but could not get any reply so, I put it here. – Saurabh May 12 '15 at 20:59
  • @MikeOunsworth, thankyou for the answers, last doubt , this means if someone offers a fake certificate , is it still possible to do MITM – Saurabh May 12 '15 at 21:03
  • @Saurabh "fake certificates" are avoided by checking that they were issued by a trusted root Certificate Authority (CA). The CA will sign the certificate when it's created, and this is almost impossible to fake. You can read more here: https://en.wikipedia.org/wiki/Certificate_authority#Issuing_a_certificate – Mike Ounsworth May 12 '15 at 21:11
  • @MikeOunsworth, thanks again, you cleared my doubt – Saurabh May 13 '15 at 07:50