File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes How dows Https really work? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "How dows Https really work?" Watch "How dows Https really work?" New topic
Author

How dows Https really work?

Alexandre Folgueras
Ranch Hand

Joined: Jan 22, 2005
Posts: 38
Hi everyone, I have a question on a particular way to use https that, at first look, seems incorrect ( at least to me ). I noticed that some sites ( Paypal.com, americanExpress.com ) do not use the same pattern that everybody else does. That pattern is as follows:

As soon as I am redirected on the page of the site that contains the login form, the browser displays allready an https url. Therefore, when I hit the submit button on the login form, my user name and password is encrypted because both the page I'm on and the page that is being called ( or servlet, whatever ) resides on an https protocol. I always thought that this was the only way to go.

Now, as I said earlier, I noticed that some sites use a different way that mechanism... There way is the same way that I just described except that the page that contains the login form, does not display the https protocol...

In fact, if you type www.paypal.com, you will get the login page but the browser will not display https as the protocol being used. If you look at the source code however, the action of the form is an https page.

So, when I first noticed how Paypal works, I thought that the username and password were not protected while they were sent to the https page. But I installed a sniffer on my pc to see if I would be able to pick up the http package that contains the user name and password and to my surprise, I was not able to snif anything. In fact, when I hit the submit button, I did not pick up any http package at all. I thought that I would at least pick up the http package that contains the username and password who is being sent from an http page to an https page.

So my question is, how does this work? The user information seems protected but I dont undersdtand why because I thought that the page who contains the login form had to be in https.

I hope I was clear enough,
Thanks in advance!
James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
I'm no SSL expert but I think the SSL handshake happens before any information is sent. So in your scenario...it happens like this:

Press submit button to submit a form to https://whatever/login.jsp
Browser sees that the form action is for a site using SSL so BEFORE sending the form parameters connects to the site and completes the SSL handshake (checking certificates, creating session key, encrypting it with server's certificate etc). This initial connection for the SSL handshake may or may not be over SSL, I don't know. But it doesn't really matter since you're not sending any confidential information.
Once the SSL handshake is completed the connection is now over https and the browser will safely send the username/password.

The handshake and the sending of the form parameters will seem like one connection to the user since they press the "submit" button and all they see is the browser redirect to either a success or failure page. But in reality there is more than just one connection happening.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How dows Https really work?
 
Similar Threads
Authentication over ssl in jsp
How does https really work?
Webapp-Security chapter revision notes from HFSJ , may be useful
Redirect to the requested page failed using form-based authentication
Authentication type