I tried short-cutting the initial handshake info from my initial paragraph. You are, of course, correct regarding decryption. However, it was my interpretation that the use of the word snoop, given the original author's intention, meant seeing clear text data. To wit: >To proxy an https the proxy MUST decrypt the message ( or it cannot >understand the request ), so it MUST be the secure sever for the client ( or >it will not have the key to decrypt ) and then the proxy MUST re-encrypt and >then become the client for a connection with the remote server.
-----Original Message----- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 1:40 PM To: [EMAIL PROTECTED] Subject: Re: Neff Robert A <[EMAIL PROTECTED]> writes: > You cannot snoop a secure https transaction without somehow > pretending to be the destination host. To do that requires > the cert, which is public, and private key, which you will > not have. Sort of. You can certainly passively snoop an HTTP transaction. There's no need to pose as the server. Decrypting the traffic requires, as you say, the private key, but not the certificate. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ***************************************************************** DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
