stackoom
  简体   繁体   中英

Man In Middle Attack for HTTPS

 原文  2014-05-01 10:33:32       ssl/ https/ cryptography/ ssl-certificate/ man-in-the-middle

Question

A man in middle can decrypt the certificate(public key for decryption is available on everywhere) and steal the public key for the session. Now the middle man can read all encrypted messages from web server to client. But cannot read messages from client to server. So how does HTTPS avoid this?

2 answers

solution1
 3 ACCPTED  2014-05-01 11:16:50

You're quite simply misunderstanding how asymmetric cryptography works:

  • Public keys are used to encrypt and to verify a signature (if these operations are provided by the algorithm used).
  • Private keys are used to decipher and to sign.

The public key in the certificate will NOT let you decrypt anything, it's not what it's for.

solution2
 1  2014-05-01 10:40:00

Man in the middle can see public key as part of certificate, but cannot see the private key.

Peer has to trust public key because it's signed by some CA they know in advance.

That's fundamentally it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SSL and Man in the middle attack Man in the middle attack using Https and a second valid certificate Can a “man in the middle” attack on an https READ all the communication? Android SSL Connection Man in the middle attack SSL Security man-in-the-middle attack Avoid Man in Middle attack over SSL Possibility of Man in the Middle Attack during TLS handshake SSL - man in the middle attack - stealing jsonwebtoken Android prevent man-in-the middle attack for SSL Protecting mobile app from man-in-the-middle attack
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM