Nelson, Thx for the quick follow-up. >> Is it possible to access the 36 bytes as per >> http://www.rfc.net/rfc2246.html#s7.4.9. >> (20 bytes of SHA-1 and 16 bytes of MD5)? > Of what value are these items to anything outside of the SSL/TLS protocol > itself? We are trying to build a plugin to prevent phishing. See also http://www.w3.org/2005/Security/usability-ws/papers/08-esecurity-browser-enhancements/ and https://bugzilla.mozilla.org/show_bug.cgi?id=322661 . > >> P.S.: Alternatively, after the handshake has completed, is it possible to >> access the SSL/TLS session key that was negotiated. > Directly? To the bits of they key itself? or to a handle for that key? I guess either the bits of the key itself or a digest thereof > > Again, why is this value of interest to anything outside of SSL itself? Probably, the approaches are best described in http://www.esecurity.ch/OHB06b.pdf . > >> I see that I can get at the serverCert in >> http://xulplanet.com/references/xpcomref/ifaces/nsISSLStatus.html > > Yes, unlike the other values requested above, the cert is public info, > and is typically sent over the wire in the clear. So, if the 36 bytes are not available, hashing the session key plus the server certificate most likely identify an SSL session pretty uniquely as a fall-back as well - would you agree?
Ralf _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
