pierreozoux · October 22, 2014 11:33
diff --git a/demo b/demo
 # So TLS, which is the successor of SSL, is "Transport Layer Security".
 # It is a kind of super protocol that initiates an encrypted tunnel between the client and the server,
 # and then, you can use your normal verbs from your protocol as it was not encrypted.
 # For instance with http. Let's say you want to get a page from ubicast.eu
 # go to your terminal, and you can get it with
 telnet ubicast.eu 80
 GET / HTTP/1.0

 # and you get the index of the site.

 # Basically, you could do the same with openssl to start a TLS connection with ubicast.eu, and then do your normal discussion in HTTP.
 openssl s_client -connect ubicast.eu:443
 GET / HTTP/1.0

 # and you get a different index (because, I don't know, but you can verify on your browser :) )


 # But this technique requires a new port to distinguish normal protocal and TLS endpoint.
 # indeed, if I discuss HTTP or TLS it is different verbs that are used.
 # So that's why you have the port 80 for http, and 443 wich is HTTP over TLS or HTTPS.
 # But this anoying to give a new port to distinguish the secure version of the protocol. Like 80 and 443...
 # This is not beautiful from an engineering point of view :)

 # So they created STARTTLS that is a verb for all protocols :) We could imagine that we had this verb to http protocol.
 # And when we you use this verb, it would mean that you want to start a TLS connection.
 # So this is jsut a way to keep the normal protocol, and add encryption :)
 # you can try by yourself
 telnet smtp.gmail.com 587
 helo [email protected]
 AUTH LOGIN
 STARTTLS
 # but you will not be able to do it by hand, it's kind of complicated :)
 # but as you can see, they do not allow login without starttls :)

 # You can do it also, directly on the SMTP over TLS:
 openssl s_client -crlf -connect smtp.gmail.com:465
 helo [email protected]
 AUTH LOGIN

 # Hope it helped :)
 # And to respond to your question, STARTTLS and TLS are vulnerables to heartbleed as it is on the TLS implementation :)
 # STARTTLS is just a verb for normal protocol to start a TLS tunnel (as well described by the name :) )
	# So TLS, which is the successor of SSL, is "Transport Layer Security".
	# It is a kind of super protocol that initiates an encrypted tunnel between the client and the server,
	# and then, you can use your normal verbs from your protocol as it was not encrypted.
	# For instance with http. Let's say you want to get a page from ubicast.eu
	# go to your terminal, and you can get it with
	telnet ubicast.eu 80
	GET / HTTP/1.0

	# and you get the index of the site.

	# Basically, you could do the same with openssl to start a TLS connection with ubicast.eu, and then do your normal discussion in HTTP.
	openssl s_client -connect ubicast.eu:443
	GET / HTTP/1.0

	# and you get a different index (because, I don't know, but you can verify on your browser :) )


	# But this technique requires a new port to distinguish normal protocal and TLS endpoint.
	# indeed, if I discuss HTTP or TLS it is different verbs that are used.
	# So that's why you have the port 80 for http, and 443 wich is HTTP over TLS or HTTPS.
	# But this anoying to give a new port to distinguish the secure version of the protocol. Like 80 and 443...
	# This is not beautiful from an engineering point of view :)

	# So they created STARTTLS that is a verb for all protocols :) We could imagine that we had this verb to http protocol.
	# And when we you use this verb, it would mean that you want to start a TLS connection.
	# So this is jsut a way to keep the normal protocol, and add encryption :)
	# you can try by yourself
	telnet smtp.gmail.com 587
	helo [email protected]
	AUTH LOGIN
	STARTTLS
	# but you will not be able to do it by hand, it's kind of complicated :)
	# but as you can see, they do not allow login without starttls :)

	# You can do it also, directly on the SMTP over TLS:
	openssl s_client -crlf -connect smtp.gmail.com:465
	helo [email protected]
	AUTH LOGIN

	# Hope it helped :)
	# And to respond to your question, STARTTLS and TLS are vulnerables to heartbleed as it is on the TLS implementation :)
	# STARTTLS is just a verb for normal protocol to start a TLS tunnel (as well described by the name :) )