Suppose you\'re connected to a VPN server via an SSTP VPN, and then you\'re tryi

Question

Suppose you're connected to a VPN server via an SSTP VPN, and then you're trying to sign in to your webmail account that is already secured with an SSL certificate, e.g. hushmail.com.

However, it seems your original data traffic is double-encrypted by both SSTP & SSL. Now suppose that for any reason your SSTP connection is hijacked and decrypted by a third party, e.g. the attacker stole your SSTP password or your SSTP-signed certificate is a fake one.

My question is: does the ability to decrypt the SSTP traffic pose any threat to the security of your email communication? I mean, does this hijacking of SSTP lead to decrypting the SSL traffic of your email?

Explanation / Answer

Assuming that the keys used for the SSL and SSTP layers are independent (which they should be, since both layers have their own separate key setup processes), compromising the outer layer (SSTP) cannot make the inner layer (SSL) any less secure than it would be if used alone.

To see why this is, imagine that there was an attack that did allow breaking SSL + SSTP significantly more easily than plain SSL alone. Then an attacker could break plain SSL just as easily as SSL + SSTP, simply by taking a plain SSL datastream, tunneling it over his own SSTP connection (a trivial operation) and then breaking the combination. But this contradicts the original assumption that breaking SSL alone would be harder than breaking SSL + SSTP.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.