36

I checked the data transmission of an HTTPS website (gmail.com) using Firebug. But I can't see any encryption to my submitted data (username and password). Where does SSL encryption take place?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
open source guy
  • 1,909
  • 9
  • 25
  • 27

8 Answers8

57

The SSL protocol is implemented as a transparent wrapper around the HTTP protocol. In terms of the OSI model, it's a bit of a grey area. It is usually implemented in the application layer, but strictly speaking is in the session layer.

Think of it like this:

  1. Physical layer (network cable / wifi)
  2. Data link layer (ethernet)
  3. Network layer (IPv4)
  4. Transport layer (TCP)
  5. Session layer (SSL)
  6. Presentation layer (none in this case)
  7. Application layer (HTTP)

Notice that SSL sits between HTTP and TCP.

If you want to see it in action, grab Wireshark and browse a site via HTTP, then another via HTTPS. You'll see that you can read the requests and responses on the HTTP version as plain text, but not the HTTPS ones. You'll also be able to see the layers that the packet is split into, from the data link layer upwards.

Update: It has been pointed out (see comments) that the OSI model is an over-generalisation and does not fit very well here. This is true. However, the use of this model is to demonstrate that SSL sits "somewhere" in between TCP and HTTP. It is not strictly accurate, and is a vague abstraction of reality.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 4
    Not sure about the OSI model comparison. The TCP/IP model itself doesn't quite fit into that model (see details on the TCP/IP section of the Wikipedia article). – Bruno Sep 03 '12 at 21:44
  • 2
    @Bruno I'm not sure I get what you're saying. TCP/IP is a *suite* of network protocols, whereas TCP and IPv4 are distinct protocols at individual layers in the OSI model. The OSI model makes a good abstraction in this case, because it shows where SSL sits. It doesn't need to be 100% accurate - nothing ever is with such abstractions - it's just there to aid understanding. – Polynomial Sep 04 '12 at 05:53
  • 6
    I'm just saying that the OSI model is widely taught as a theoretical concept, but the TCP/IP stack (one of the most used stack of protocols) doesn't fit into that model unambiguously unfortunately. In fact, the Wikipedia page puts SSL/TLS in layer 6 (presentation), not 5 like your answer. Propagating that OSI model doesn't actually help in many cases and this layer can be very "artificial". Of course, it's a model, it will always be artificial, but the model doesn't always easily fit the reality, which gets worse when you consider protocols like VPNs for example. Even SSL/TLS doesn't quite fit – Bruno Sep 04 '12 at 10:33
  • @begueradj As we've already discussed, TLS doesn't really fit anywhere in the OSI model. Strictly speaking, it's layer 7, not 5 or 6, but in terms of where you'd place it in terms of network protocol encapsulation it sits between TCP and the application, so 5 and 6 make sense. The distinction between 5 and 6 is also a grey area, because TLS does a lot more than just encrypt the data. So, as I've said before, **this is an oversimplification** and is **only** meant to express its position in the network stack in a practical sense. – Polynomial May 24 '14 at 00:19
  • SSL is not 'implemented as a transparent wrapper around the HTTP protocol'. You could so describe HTTPS, but not SSL. – user207421 Jan 16 '16 at 06:01
22

With HTTPS, encryption occurs between the Web browser and the Web server. Firebug runs on the browser itself, so it sees the cleartext data; encryption takes place when exiting the browser.

Use a network monitor tool (such as Microsoft Network Monitor or Wireshark) to observe the encrypted traffic. Use a Man-in-the-Middle attack product like Fiddler to get a taste of what an attacker can do (namely: intercepting the connection and recovering the data is feasible IF the user can be persuaded to "ignore the friggin' browser warnings" about untrusted certificates -- so don't ignore the warnings !).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
5

HTTPS is HTTP over TLS (or over SSL, which is the name of previous versions of TLS).

SSL/TLS, when configured properly, provides privacy and data integrity between two communicating applications (see TLS specification), over a reliable transport, typically TCP.

Although TCP sockets are not mentioned in the TLS specification, SSL and TLS were designed with the objective of providing a model that could be used almost like plain TCP sockets by application programmers. Besides a few edge cases (for example, for closing sockets or if you want your application you application to be aware of re-negotiations), this is indeed mostly the case. SSL/TLS stacks often provide wrappers that make the SSL/TLS sockets be programmable in the same way as plain TCP sockets (once configured); for example Java's SSLSocket extends Socket.

Most applications rely on existing libraries to use SSL/TLS (for example JSSE in Java, SChannel, OpenSSL, Mozilla's NSS library, OSX's CFNetwork, ...). With little modifications to the plain TCP code (usually, everything around certificate and trust management, and encryption/cipher suites settings if required), SSL/TCP sockets (or streams, depending on the type of API) are used to exchange plain text as far as the application is concerned. It's the underlying library that tends to do the encryption work, transparently.

When you look at the traffic within the browser's developer's tools, it's what's exchanged on top of those libraries that you see. To see the encrypted traffic, you'd need to look at the actual traffic (e.g. using Wireshark).

Community
  • 1
Bruno
  • 10,765
  • 1
  • 39
  • 59
3

While all network models are imperfect, this question can only be answered by looking at what SSL (TLS really) does. (1) On top of a reliable network stream (TCP at OSI layer 4) it provides an encrypted bidirectional stream and (almost always) guarantees the identity of the server and (optionally) the client. The authenticating client can be a process, user or some other entity which can properly answer the required authentication challenges.

TLS means Transport Layer Security. However since it does implement session identity, integrity, start up, tear down and management it very much belongs in the session layer. The Wikipedia page states that this belongs to the OSI presentation layer. This is probably wrong. The presentation layer is more concerned with marshalling data into non-network-dependent formats and interpreting it on the host side through the appropriate application.

At-rest encryption (say in a database field or email message) might be a candidate for the presentation layer, but I would suggest that it's closer to a form of OS or application security.

So in reality TLS is mostly session-layer as it provides point-to-point session security for the transport (TCP). In other ways it provides authentication functions which are clearly application layer (OS, utility or user app).

So it's a lot of layer 5 and a little of layer 7.

Good luck.

eris0xff
  • 31
  • 1
1

SSL operates at the presentation layer in the OSI model (Layer6). See reference The TCP/IP guide, M. Kozierok, page 111. "Protocols at this layer take care of manipulation tasks that transform data from one representation to another, such as translation, compression and encryption. One of the most popular encryption schemes usually associated with the presentation layer is the Secure Socket Layer (SSL) protocol." HTTPS is the application layer protocol using ssl at layer 6 for encryption purposes.

Kruger
  • 11
  • 1
1

In spite of being possible to read/write data to SSL/TLS channels as with vanilla TCP/IP sockets, in Java or C or whatever, SSL provides you the concept of SSL session, which can be kept across several TCP/IP connections. Thus, IMHO this makes SSL a session layer protocol (I wonder why someone came up with the TLS name...).

André Zúquete
  • 21
  • 3
0

It's a layer above the transport layer, usually TCP.

You can see the encrypted data going in and out with wireshark.

Kovags
  • 139
  • 3
-1

According to: Kozierok, Charles M. 2005. The TCP/IP Guide. No Starch Press, Inc. San Francisco, CA. 94103. ISBN 1-59327-047-X pp 947 -1080

SSL works on OSI layer 6.

user155712
  • 11
  • Can you provide some more explanation, SSL working above the transport layer is understood. But provide some information nuances, exactly when the SSL protocol starts working what happens during the process etc. – TheJulyPlot Aug 01 '17 at 06:36
  • Fail answer. The listed pages in the book from 2005 are about DNS/NFS/BOOTP/DHCP and TCP/IP w.r.t. SNMP. Only single mention of SSL being on layer 6 is p.111: **For example, one of the most popular encryption schemes usually associated with the presentation layer is the Secure Sockets Layer (SSL) protocol.** – sjas Oct 09 '19 at 13:03