Hacker News new | past | comments | ask | show | jobs | submit login

> Nice. Remember the days when IT professionals would exclaim that this was a bad idea?

It has made some things more difficult. In the old days when I had problems with a remote IMAP server I could watch each command and response going over the wire. It made troubleshooting dead simple. When a POP3 mailbox got hung up on a single huge message you could just telnet in and delete the offending message in a few seconds. It's crazy to suggest that encrypting everything hasn't made things more complicated than they were. It hasn't been an insurmountable problem, and in an age where everyone wants to sell your browsing habits the rewards have been greater than the pain but it did make things harder.




> I could watch each command and response going over the wire.

AFAIK, Wireshark supports decrypting TLS traffic if you give it the private keys.

> When a POP3 mailbox got hung up on a single huge message you could just telnet in

Use “gnutls-cli” or “openssl s_client” – transparent TLS for your terminal. Both those commands also have options supporting protocols’ use of STARTTLS.


For a modern TLS session Wireshark will need the session keys, which will need to be exported separately for each connection made because they change every time.

Private keys in modern TLS are used only to prove who you are, they aren't used to decrypt anything. Instead random ephemeral secrets are chosen by both sides and a Diffie-Hellman (ECDH) key agreement method is used to agree a shared secret based on those ephemeral secrets.

As a result of this design the connection is encrypted and delivers integrity and confidentiality protection before either side knows who they're talking to.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: