How is SSL tunneling secure?

I've been reading about SSL tunnels and there seems to be a pretty important point I don't seem to understand. Once the tunnel is in place and the encrypted data is flowing between the two endpoints I understand how the proxy in the middle simply forwards the packets and cannot see what is contained in them.

However, in order to get to this stage, an SSL handshake had to have taken place through the proxy. Couldn't the proxy have listened in on that exchange in order to gain the necessary information to decode the data as it was sent through the tunnel? In other words, can I create an SSL tunnel through a completely untrusted proxy with any kind of assurance that my data can't be read? From what I've seen, I believe that the answer is yes, but I can't see how this is possible.

Can anyone shed some light?

Sander Smith

[859 byte] By [smithsaa] at [2007-10-1 4:13:45]

«« Need - Good / Easy to use IDE for Java develoment - Help
»» Stock market data

# 1

I think I've figured it out and feel kind of stupid. The SSL handshake in the nominal case happens over an untrusted network and works such that if a 3rd party listens in, he won't be able to do anything.

In the tunnel situation, there is a built in man-in-the-middle (the proxy), but it doesn't have enough information to decrypt the packets as the fly by.

If I'm wrong about this, let me know.

Sander Smith

smithsaa at 2007-7-9 4:44:17 >

top of Java-index,Security,Java Secure Socket Extension (JSSE)...

# 2

That's correct. Man-in-the-middle has a different meaning here. The middleman just controls the connection itself, it has no way to read the encrypted info, orto modify the contents of the communication without being detected.

wetmorea at 2007-7-9 4:44:17 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

How is SSL tunneling secure?

Security New Topic

Security Hot Topic

Security

All Classified