Is it possible to perform a replay attack on a request transfered via https? Meaning, does the https protocol enforce a mechanism similar to digest access authentication where a nonce is introduced into the request to prevent replay.
Asked
Active
Viewed 9,885 times
2 Answers
11
yes, it does . http://www.mozilla.org/projects/security/pki/nss/ssl/draft02.html
HTTPS calls nonce connection id and its 128 bits long.
Kristaps
- 2,985
- 17
- 22
-
So the answer is yes it is possible to perform a replay attack but the SSL protocol makes it sufficiently improbable in real-world scenarios to make replay attacks near impossible to perform. – Kevin Kuphal Jun 26 '09 at 21:28
-
5This answer is not entirely correct, as the mode of authentication selected for HTTPS sets up it's ability to prevent a man-in-the-middle or replay attack. For the most part, yes, it does. But there can be implementations of HTTPS which do not protect against a replay attack. – patjbs Jun 26 '09 at 21:36
7
It depends on the implementation of HTTPS. It indeed can be secure against a replay attack - for instance in an RSA key exchange, a temporary key is created which prevents execution of a replay attack. However, a anonymous key exchange does not provide replay protection, I believe.
https://datatracker.ietf.org/doc/html/draft-ietf-tls-ssl-version3-00 Appendix F
