This topic contains 1 reply, has 2 voices, and was last updated by ramirezz 1 month ago.
- October 24, 2020 at 3:37 am #321958
I’ve been struggling to understand SSL for some time now, recently I found a really good video explaining it and almost everything became clear to me. There is only one thing I don’t get.
When the server sends you the public key, it is unencrypted right? So someone could capture that, and encrypt messages with that in your name, as well as capture all the encrypted data coming from the server.
As far as I understand SSL is only working to validate that the data you get is actually coming from the server and to make sure that the data you sent can not be read.
EDIT.: I’ve somehow missed the part where a symetric key is generated by the user and sent back encrypted with the public key, so I guess that kind of answers my question.
- October 24, 2020 at 3:37 am #321959
Glad you have figured it out. I’ll just add that both parties provide their public keys to each other. Shared encryption key is then generated on each side using a combination of each party’s private key and the other party’s public key. All subsequent communication is encrypted by generated key each way. If you feel nosy, this [illustrates](https://tls.ulfheim.net/) the process quite well.
- October 24, 2020 at 3:37 am #321960
And phished it not really the right term. You can absolutely run a phishing attack using ssl sites. SSL is about preventing a Man In The Middle attack.
- October 24, 2020 at 3:37 am #321961
I love people who find their own answers. Well done. 🙂
- October 24, 2020 at 3:37 am #321962
care to share the video?
- October 24, 2020 at 3:37 am #321963
Related, is the DH process in which you can exchange a symmetric key while a third party observes, but they never get the actual key.
- October 24, 2020 at 3:37 am #321964
Because it’s illegal
- October 24, 2020 at 3:37 am #321965
pub key is transferred in a certificate that is certified by a trusted root authority. if that root authority is in your trusted root authority list then it’s considered valid.
- October 24, 2020 at 3:37 am #321966
The private key is never sent across the network, otherwise it would no longer be private. The private key of the server is used to authenticate the server, not to encrypt. For the actual encryption a session key is used, so the question remains how do client and server agree on a session key without making that known to an observer.
You must be logged in to reply to this topic.