edmond rodriguez on 24 Dec 2008 09:48:12 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] https and wireless computing

After a PLUG West meeting we were discussing wireless computing.  I had mentioned that I never worried too much about doing secure https type stuff, even on an open wireless network, as https: schemes take care of the security.

Another mentioned that in an extreme perhaps unlikely case (but still possible), a "man in the middle" could intercept the pass phrase negotiation that goes on at the beginning of a https: session, and therefore continue from there using the established connection.

I have been thinking about this for a while, and though I don't know the minute details of the process, I understand the the first stage of https negotiation uses private and public keys to negotiate a password for the next stage (a faster encryption scheme). 

So how can anything be "intercepted".   The client and the server each have their own private keys, which the man in the middle will never know.  So how could the man in the middle decrypt the negotiated passphrases being used without having anyone's private keys?   I have not googled much about this and only going by some things I learned about two or three ago.

Of course I am sure the risk of computing on an open wireless network is greater than a secure and/or wired network.  But is using https on an open wireless network very vulnerable?
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug