Reputation: 63
SSL Security man-in-the-middle attack
Alot of debate about this but one thing isnt clear to me. Can't an ISP intercept the connection between the client and the server? Like when the ISP intercept the initial process of SSL connection, the ISP WILL RESPOND TO THE CLIENT and not the server? pretending its from the server. Therefor the ISP can be a perfect man-in-the-middle with the power of reading AND modifying data whenever they want, is that correct?
Upvotes: 0
Views: 226
Answers (1)
Reputation: 310883
No, because the ISP doesn't hold a private key that matches the certificate at the server you are trying to access. So unless you aren't checking the peer certificate, i.e. you are accepting the ISP's own certificate instead of the website's certificate, it is impossible for him to masquerade as the endpoint.
Upvotes: 5
Related Questions
- SSL and man-in-the-middle misunderstanding
- SSL: How are certificates protected against man in the middle attacks?
- How do certificate avoid the man in the middle attack?
- Man In Middle Attack for HTTPS
- Can a man-in-the-middle intercept an SSL packet and duplicate it?
- SSL and Man in the middle attack
- Preventing Man-in-the-middle attacks on non-HTTPS
- Can HTTPS connections be hijacked with a man-in-the-middle attack?
- How to prevent HTTPS man-in-middle attack from the server side?
- Preventing man in the middle attack while using https