tags:

views:

210

answers:

4
+1  Q: 

Unencrypted SSL protocol?

Is it possible to send a message over https that isn't encrypted? For example, require that certificate validation and authorization occur, but not encrypt the actual data being sent over the socket?

A: 

No, the protocol doesn't allow for that.

One solution you could do is connect over https, verify the connection, then drop subsequent connections to HTTP with a session cookie. Without that cookie, redirect back to https so that the client always connects over it.

This might not be relevant to you, though, so if you provide more information about the problem you're trying to solve we could be of more help.

McPherrinM  2009-12-18 19:09:00
+3  A: 

Yes, TLS and SSL support "no-encryption" modes. Whether the particular client and server in question are configured to enable is a separate issue.

You can use the TLS_RSA_WITH_NULL_SHA cipher suite, among others, to protect the authenticity and integrity of traffic, without encryption.

The "RSA" in this case refers to the key exchange algorithm, while "SHA" refers to the message authentication algorithm used to protect the traffic from being altered. "NULL" is the encryption algorithm, or, in this case, the lack of encryption.

It's important to realize that the traffic, though it's not encrypted, is bundled up in SSL records. The client and server must be SSL-enabled.

If you are looking for a step-down solution where some data is exchanged over SSL, then SSL is turned off but the application traffic continues, that's possible too, but keep in mind that it offers absolutely no security for the cleartext traffic; it can be tampered with by an attacker. So, for example, authenticating with SSL, then stepping down to an "in-the-clear" protocol to receive commands that use the authentication negotiated via SSL would unsafe.

erickson  2009-12-18 19:52:17
Hello, I have some question about openssl, would you like to take a look with the following address ?. http://stackoverflow.com/questions/2542156/openssl-ssl-encryption
deddihp  2010-03-30 15:48:40
A: 

I think you can.

but it would be stupid, you will loose the point of the authentication, and leave yourself exposed to attackers that can intercept and alter your packets.

Hellfrost  2009-12-18 20:00:04
+1  A: 

The SSL/TLS specs define a "NULL cipher" which you could use for this. Most client and server software disable it for obvious reasons.

However, if you are writing your own software, you may be able to convince your library to negotiate it.

Marsh Ray  2010-02-23 23:51:51

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords