Reply to post: a couple of misleading statements in the article

Hacked in a public space? Thanks, HTTPS

Adam 1 Silver badge

a couple of misleading statements in the article

Firstly, a MitM scenario is what we call "the norm". It is highly unlikely that you have a direct connection from your computer to the server. There are most likely a dozen networks that get traversed. It is not some afterthought that the guys behind HTTPS didn't consider

Being a MitM allows you to 1. Observe and 2. Manipulate any bytes traversing that link. For HTTP, that means that pages can be manipulated and any credentials can be easily obtained. Some popular IT news websites even fail to use HTTPS in their comments if you can imagine that. Equally, mixed HTTPS via a HTTP page is not safe.(eg).

But HTTPS is different. The design of HTTPS is that your browser demands the site prove that it owns a certificate by signing a random challenge issued by the client. The server gives it's public key which can be used to decrypt the response and reveal the original challenge, the certificate is signed by a trusted authority, which hopefully means some diligence was done that the issuer. Without getting a hold of the private key of a CA, or otherwise convincing them that your certificate should be signed, you will either have an invalid signature or a CA that your browser has never heard of. In both cases, your browser will make it known to you that it isn't satisfied.

The theory works, setting aside whether the CAs are trustworthy. The problems are in the implementations. The Apple GOTO fail bug was basically a failure to validate the signature on the certificate. POODLE works by interfering with the negotiations about what algorithms the client and server have in common, and basically tricking them into communicating using a very weak key. That is easily mitigated by either the client or server having a somewhat recent security patch applied.

Sslstrip works by tricking the client into using plain old HTTP while it works as a proxy, talking using HTTPS to the website (HTTPS validates the website identity, not the client identity, and you just gave your credentials to a proxy which is now emulating you.) It's not magical. It is also not going to get past hsts so I seriously doubt a modern browser is going to leak Gmail over HTTP.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019