qnimate
Reputation: 909
Man In Middle Attack for HTTPS
A man in middle can decrypt the certificate(public key for decryption is available on everywhere) and steal the public key for the session. Now the middle man can read all encrypted messages from web server to client. But cannot read messages from client to server. So how does HTTPS avoid this?
Upvotes: 0
Views: 228
Answers (2)
Bruno
Reputation: 122649
You're quite simply misunderstanding how asymmetric cryptography works:
- Public keys are used to encrypt and to verify a signature (if these operations are provided by the algorithm used).
- Private keys are used to decipher and to sign.
The public key in the certificate will NOT let you decrypt anything, it's not what it's for.
Upvotes: 3
Dima Tisnek
Reputation: 11781
Man in the middle can see public key as part of certificate, but cannot see the private key.
Peer has to trust public key because it's signed by some CA they know in advance.
That's fundamentally it.
Upvotes: 1
Related Questions
- SSL and man-in-the-middle misunderstanding
- SSL: How are certificates protected against man in the middle attacks?
- What are the ways man in the middle attacks can be initiated?
- How do certificate avoid the man in the middle attack?
- SSL Security man-in-the-middle attack
- SSL and Man in the middle attack
- Preventing Man-in-the-middle attacks on non-HTTPS
- Can HTTPS connections be hijacked with a man-in-the-middle attack?
- How to prevent HTTPS man-in-middle attack from the server side?
- Preventing man in the middle attack while using https