Re: SSL connection

From: Philip Ching (605.734.71) (pching@aplcenMP.apl.jhu.edu)
Date: 08/19/01


Date: Sat, 18 Aug 2001 23:24:19 -0400 (EDT)
From: "Philip Ching (605.734.71)" <pching@aplcenMP.apl.jhu.edu>
To: Patrick Duane Dunston <duane@sukkha.homeip.net>
Subject: Re: SSL connection
Message-ID: <Pine.GSO.4.10.10108182304430.18323-100000@aplcenMP.apl.jhu.edu>


Hi Patrick,

My understanding is that each SSL connection is encrypted by
a session key which is (in general) difficult to attack in
real-time. However, if my SSL connection continues for hours
(or days) then a hacker can attack the session key because
he has more time to crack.

So my idea (may be simple minded) is to restart (or refresh)
the SSL connection with the server every so often. In this
way the browser will generates a new session key each time a
new SSL connection is initiated - This follow from the SSL
protocol.

But I am not sure if I click the refresh icon in the Netscape
will disconnect my current SSL session and starts a new SSL
session. This is why I posted a question to the list, and hope
someone can offer some idea.

I beleive in the http:// connection (i.e., port 80), if I click
the Refresh icon, I'll get a new http connection. So the same
should be true in https:// But I am bot sure.

Thanks!

Philip

On Sat, 18 Aug 2001, Patrick Duane Dunston wrote:

> > How can I "refresh" an existing SSL session with the Server?
> >
> > This is because I want to re-authenticate the server.
> >
>
> Hi Phillip,
>
> I am sorry, I don't understand your question. Can you explain a little
> more please?
>
> --
> duane
>
> ...
>
> Love doesn't make the world go 'round.
> Love is what makes the ride worthwhile.
> --Franklin P. Jones
>
> --
>
> GnuPG Public Key: http://sukkha.homeip.net/pgp.html
>
> --
>
>

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.