3
1
When a 2 computer establish an HTTPS connection them have to resolve what key is going to be used, right?
So, to do that, at some point the key have to travel unencrypted from one computer to another, no?. At that moment, isn't it possible to a man-in-the-middle to sniff it and get the key, so then he can just read/write the encrypted packets with it?
How does the HTTPS protocol avoids that?
Zequez
Posted 2012-01-20T20:05:35.563
Reputation: 1 564
3
SSL uses two keys, a private and a public one. Only the public key is sent and this key has no value unless you know the private one.
Every party is encrypting the data it sends with the public key of the other one (that's a little bit more complex but you got the idea). Only the recipient is able to (easily) decode the traffic.
That means that traffic sniffing is so not that much a problem, although of course brute force attacks would be depending on the key size and algorithm used.
Man in the middle attacks based on traffic interception and server substitution are a higher risk but normally prevented by the use of trusted certification authorities. It would however be defeated if you ignore the warnings your browser displays when a server certificate isn't matching the site name or hasn't been issued by a trusted chain of authorities (eg: self signed certificate).
jlliagre
Posted 2012-01-20T20:05:35.563
Reputation: 12 469
1
The HTTPS/SSL protocol uses Private/Public Keys to ensure a secure connection. http://en.wikipedia.org/wiki/Transport_Layer_Security
Chris Nava
Posted 2012-01-20T20:05:35.563
Reputation: 7 009