Why can’t you phish HTTPS server data? – Digitalmunition

Home Forums Why can’t you phish HTTPS server data?

This topic contains 1 reply, has 2 voices, and was last updated by  ramirezz 1 month ago.

  • Author
  • #321958


    Hello all!

    I’ve been struggling to understand SSL for some time now, recently I found a really good video explaining it and almost everything became clear to me. There is only one thing I don’t get.

    When the server sends you the public key, it is unencrypted right? So someone could capture that, and encrypt messages with that in your name, as well as capture all the encrypted data coming from the server.

    As far as I understand SSL is only working to validate that the data you get is actually coming from the server and to make sure that the data you sent can not be read.

    EDIT.: I’ve somehow missed the part where a symetric key is generated by the user and sent back encrypted with the public key, so I guess that kind of answers my question.

  • #321959


    Glad you have figured it out. I’ll just add that both parties provide their public keys to each other. Shared encryption key is then generated on each side using a combination of each party’s private key and the other party’s public key. All subsequent communication is encrypted by generated key each way. If you feel nosy, this [illustrates](https://tls.ulfheim.net/) the process quite well.

  • #321960


    And phished it not really the right term. You can absolutely run a phishing attack using ssl sites. SSL is about preventing a Man In The Middle attack.

  • #321961


    I love people who find their own answers. Well done. 🙂

  • #321962


    care to share the video?

  • #321963


    Related, is the DH process in which you can exchange a symmetric key while a third party observes, but they never get the actual key.


  • #321964


    Because it’s illegal

  • #321965


    pub key is transferred in a certificate that is certified by a trusted root authority. if that root authority is in your trusted root authority list then it’s considered valid.

  • #321966


    The private key is never sent across the network, otherwise it would no longer be private. The private key of the server is used to authenticate the server, not to encrypt. For the actual encryption a session key is used, so the question remains how do client and server agree on a session key without making that known to an observer.


You must be logged in to reply to this topic.