Re: [PLUG] https and wireless computing

Gordon Dexter on 24 Dec 2008 11:24:30 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] https and wireless computing

From: Gordon Dexter <gordon@texasdex.com>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] https and wireless computing

Date: Wed, 24 Dec 2008 14:24:21 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Thunderbird 2.0.0.18 (X11/20081125)

No, a man-in-the-middle attack is not possible using HTTPS. The reason for this is the public key infrastructure. Basically, there are a number of organizations such as Thawte, Verisign, CaCert, etc that exist solely to sign the server key. They only do this after verifying that they are giving the key to the person who owns the domain. Therefore nobody else can have a signed cert with my domain as the common name. When your browser visits a site in https it checks to make sure that it is talking with the right server. A different server wouldn't have the right certificate, signed by an CA (certificate authority) whose public key is in your browser. If the common name and the domain name don't match, browsers will generate a scary-looking warning that there might be something nefarious going on. In most cases it's a poorly-configured website, or perhaps one with a CA the browser doesn't recognize. Either way, it discourages users from sending their banking data to a website that isnt owned by the person who owns the bank's domain. There's a lot more on wikipedia about this: http://en.wikipedia.org/wiki/Public_key_infrastructure --Gordon edmond rodriguez wrote: > After a PLUG West meeting we were discussing wireless computing. I had mentioned that I never worried too much about doing secure https type stuff, even on an open wireless network, as https: schemes take care of the security. > > Another mentioned that in an extreme perhaps unlikely case (but still possible), a "man in the middle" could intercept the pass phrase negotiation that goes on at the beginning of a https: session, and therefore continue from there using the established connection. > > I have been thinking about this for a while, and though I don't know the minute details of the process, I understand the the first stage of https negotiation uses private and public keys to negotiate a password for the next stage (a faster encryption scheme). > > So how can anything be "intercepted". The client and the server each have their own private keys, which the man in the middle will never know. So how could the man in the middle decrypt the negotiated passphrases being used without having anyone's private keys? I have not googled much about this and only going by some things I learned about two or three ago. > > Of course I am sure the risk of computing on an open wireless network is greater than a secure and/or wired network. But is using https on an open wireless network very vulnerable? > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] https and wireless computing
From: edmond rodriguez <erodrig_97@yahoo.com>

Prev by Date: Re: [PLUG] https and wireless computing

Next by Date: Re: [PLUG] https and wireless computing

Previous by thread: Re: [PLUG] https and wireless computing

Next by thread: Re: [PLUG] https and wireless computing

Index(es):

Date

Thread