So this video explains how https works. What I don’t get is what if a hacker in the middle pretended to be the server and provided me with the box and the public key. wouldn’t he be able to decrypt the message with his private key? I’m not a tech expert, but just curious and trying to learn.

  • lostmypasswordanew@feddit.de
    link
    fedilink
    English
    arrow-up
    82
    arrow-down
    1
    ·
    edit-2
    7 months ago

    All TLS/HTTPS clients have a set of Certificate Authority keys which they trust. Your client will only accept a public key which is signed by a trusted CA’s key. A proper CA will not sign a key for a domain when it has not verified that the entity that wants it’s key signed actually controls the domain.

    • mox@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      61
      arrow-down
      2
      ·
      7 months ago

      A proper CA will not sign a key for a domain when it has not verified that the entity that wants it’s key signed actually controls the domain.

      Most browsers trust many certificate authorities from all over the world.

      Any of them could…

      • be compelled by authority
      • be compelled by threat
      • be hacked
      • have a lapse in ethics
      • have a rogue employee
      • etc.

      …and yes, it has happened already.

      HTTPS as most of us use it today is useful, but far from foolproof. This is why various additional measures, like certificate pinning, private CAs, and consensus validation are sometimes used.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        34
        arrow-down
        1
        ·
        edit-2
        7 months ago

        I urge everybody to read up on CAA records in DNS and add them to your domains. They basically say what CA the certs for that domain are supposed to come from. Even if another CA issues valid certs for the domain they would be rejected if they don’t match the CAA în DNS. It takes 5 minutes.

        You can specify the valid CA in the form of its representative domain, for example to allow Let’s Encrypt you’d add 0 issue "letsencrypt.org". If you want to allow multiple CA you add multiple CAA records. They enter into effect if at least one CAA record is present. You can also restrict the challenge type, for example 0 issue "letsencrypt.org;validationmethods=dns-01".

        Please note that this is worth adding a CAA record even if you don’t use your domain for HTTP and you don’t issue any certs for it, because a rogue CA can do it for you. You can add a blank CAA record (0 issue ";") which basically forbids any CA.

        (And yes, this also applies to email. It’s worth adding restrictive records even if you don’t use your domain for email.)

      • zeluko@kbin.social
        link
        fedilink
        arrow-up
        23
        ·
        7 months ago

        Thats why we now have certificate transparency reports and CA-records.
        Sure not perfect, but at least with a compliant CA it wont just happen in the dark.
        At some point you have to trust someone.

      • Nightwatch Admin@feddit.nl
        link
        fedilink
        English
        arrow-up
        15
        ·
        7 months ago

        It is indeed true that some CAs have seriously misbehaved; however, browser builders are rather strict on the presence of the CAs they trust. Misbehaving or even simple errors are reasons for getting kicked out, after which certificates signed by those CAs are now no longer valid.

        • mox@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          edit-2
          7 months ago

          Misbehaving or even simple errors are reasons for getting kicked out,

          That can be helpful if a transgression is noticed, and it’s not orchestrated by a higher authority (e.g. government), and the damage isn’t already done.

          browser builders are rather strict on the presence of the CAs they trust.

          Of course, browser builders are vulnerable to influence, attack, accidents, questionable judgment, and blind spots just as certificate authorities are.

        • lily33@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          7 months ago

          I’m somewhat skeptical. What if LetsEncrypt decided to misbehave tomorrow? Would the browsers have the guts to shut it down and break all sites using it?

          • Nightwatch Admin@feddit.nl
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            7 months ago

            Yes, they will. We’ve seen it before in mostly less serious cases: Diginotar, Türktrust, Symantec, etc. As brittle as the CA system can be, when there is real enough trouble, CAs do get revoked.

          • catloaf@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 months ago

            Not the browser companies. The parent CA would revoke Let’s Encrypt’s certs and publish that revocation in the certificate revocation list. When the browser (software, running on your system) downloads the new CRL, they will automatically stop trusting LE.

      • state_electrician@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        Many years ago I manually removed all CAs from my trust store and only added those I needed. Turned out that from roughly 160 trusted root CAs I needed about 10 to 12. I stopped because it often was very difficult to figure out which CA signed the cert for an app that was failing. The final nail in the coffin was when I was late for a business meeting and the only way to get a parking space close enough to my destination was by paying with an app I’d never used before and finding the right root CA under pressure was too much. I really wish we had more and easier control over who we trust.

      • qwerty@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        14
        ·
        7 months ago

        This is slightly off-topic but I was thinking about it and all of thoes isues can be solved by utilizing blockchain. Imagine a world where instead of CAs, decentralized domain (unstoppable domains, ENS etc.) owners publish their pub keys to the blockchain, the client can than query multiple nodes or store the chainstate locally. When establishing a connection client sends a secret handshake message + clients’ pub key encrypted with domains’ pub key. To complete the handshake server responds with the same secret message encrypted with clients’ pub key.

        • KairuByte@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          How are you ensuring the public key retrieved from the blockchain is legitimate?

          You’re just removing the semi trustworthy CA and replacing it with the less trustworthy blockchain. Unless you’re proposing encrypting the blockchain connection, maybe they could use TLS?

          • qwerty@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 months ago

            Ownership of the domain is verifiable on the blockchain, if the same wallet that owns the domain (nft) also publishes the pub key (owns the pub key nft or key data is embedded in the domain name nft) you can verify that the key is valid.

            IMO blockchain is more trustworthy than any single CA because you aren’t trusting a single entity, but a decentralized network of nodes. Assuming that most nodes are honest you can query 100 independent nodes for the same data, if 99 say the same thing you can be fairly confident that the data is valid. You can also run your own node and not have to trust anyone.

            To protect against MITM of your connection redirecting all traffic to their malicious node, some well known and trusted nodes would be hardcoded in the browser/OS software along with their public signing key to verify the signed data they send you, and genesis block data in case you want to run a node yourself. Signing keys of nodes would also be published to the blockchain. Think a unified, immutable, cryptographically verifiable, distributed database of public key - domain name pairs, which is what blockchain basically is. Encrypting the connection is a good idea too, extra privacy is always welcome.

            The biggest advantage here is that every single pub key (certificate) is stored by every single node (CA), so if one node goes rogue or is compromised and starts serving false data, it will be immediately discovered by the client by comparing it’s data to the data from other nodes, and can be immediately and verifiably reported to the network, even in the case of a targeted attack, because all data recived from the nodes is signed.

            No solution is perfect and this one is not an exception, if your hardware or your os/browser is compromised there is nothing short of manually checking certificate data or using an external device to verify it, that can be done, but that’s true for most IT systems, including the current TLS certification and authority based system.

            Blockchain is a well tested technology that has proven itself to work by being a core part of a trillion dollar industry and was specifically designed to eliminate the need for trusting a 3rd party. It seems like a natural solution to the biggest problem with CAs - trusting a 3rd party. It’s honestly sad that so many people dismiss it or are downright against it coz “crypto”, even when no crypto currency is invloved. I guess they spent so much time hating it they can’t even admit it might be useful to them after all.

            Thanks for asking for a follow-up instead of just downvoting.

        • lily33@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          It seems to me like a MITM hacker can just redirect all requests to a Blockchain node towards their malicious node.

          • qwerty@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 months ago

            Ownership of the domain is verifiable on the blockchain, if the same wallet that owns the domain (nft) also publishes the pub key (owns the pub key nft or key data is embedded in the domain name nft) you can verify that the key is valid.

            IMO blockchain is more trustworthy than any single CA because you aren’t trusting a single entity, but a decentralized network of nodes. Assuming that most nodes are honest you can query 100 independent nodes for the same data, if 99 say the same thing you can be fairly confident that the data is valid. You can also run your own node and not have to trust anyone.

            To protect against MITM of your connection redirecting all traffic to their malicious node, some well known and trusted nodes would be hardcoded in the browser/OS software along with their public signing key to verify the signed data they send you, and genesis block data in case you want to run a node yourself. Signing keys of nodes would also be published to the blockchain. Think a unified, immutable, cryptographically verifiable, distributed database of public key - domain name pairs, which is what blockchain basically is. Encrypting the connection is a good idea too, extra privacy is always welcome.

            The biggest advantage here is that every single pub key (certificate) is stored by every single node (CA), so if one node goes rogue or is compromised and starts serving false data, it will be immediately discovered by the client by comparing it’s data to the data from other nodes, and can be immediately and verifiably reported to the network, even in the case of a targeted attack, because all data recived from the nodes is signed.

            No solution is perfect and this one is not an exception, if your hardware or your os/browser is compromised there is nothing short of manually checking certificate data or using an external device to verify it, that can be done, but that’s true for most IT systems, including the current TLS certification and authority based system.

            Blockchain is a well tested technology that has proven itself to work by being a core part of a trillion dollar industry and was specifically designed to eliminate the need for trusting a 3rd party. It seems like a natural solution to the biggest problem with CAs - trusting a 3rd party. It’s honestly sad that so many people dismiss it or are downright against it coz “crypto”, even when no crypto currency is invloved. I guess they spent so much time hating it they can’t even admit it might be useful to them after all.

            Thanks for asking for a follow-up instead of just downvoting.

  • NeoNachtwaechter@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    2
    ·
    7 months ago

    It is possible and it has been done.

    You need to get your “hacker” key signed/certified by an official CA. Which is not that difficult with some of them because they are doing it for money.

    • Cras@feddit.uk
      link
      fedilink
      English
      arrow-up
      6
      ·
      7 months ago

      You don’t really ‘need to’ in a world where a good proportion of people will happily click ‘continue anyway’ when they get any sort of certificate error

      • zeluko@kbin.social
        link
        fedilink
        arrow-up
        4
        ·
        7 months ago

        Thats why we have HSTS and HSTS preloading, so the browser refuses to allow this (and disabling it is usually alot deeper to find than a simple button to “continue anyways”)

        • IHawkMike@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          In Chromium browsers you can simply type “thisisunsafe” to bypass even HSTS failures.

      • NeoNachtwaechter@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        7 months ago

        people will happily click ‘continue anyway’

        Not possible without a certificate. There will be no TLS connection, only an error message. No ‘click continue’.

        • ferret@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          It is trivial for an attacker to make self-signed TLS certs, and you can absolutely just click “continue” on sites that use them when you get a warning from the browser

            • Cras@feddit.uk
              link
              fedilink
              English
              arrow-up
              3
              ·
              7 months ago

              Firefox, Chrome, Edge, will all warn you about self-signed certs or cert mismatches but allow you to continue. You’re completely correct that SSL/TLS needs a certificate, but it doesn’t need to be CA issued or in any way legitimate for the encrypted tunnel to be established

            • ferret@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              7 months ago

              I am personally using firefox and referencing my own servers that use their own self-signed TLS certs that I have not bothered to load onto my pc because they aren’t public, but chromium-based browsers aren’t some outlier here

              • zeluko@kbin.social
                link
                fedilink
                arrow-up
                1
                ·
                7 months ago

                Your own servers probably also dont have HSTS enabled, or clicking continue will be disabled (if not overwritten in your browser-config)

                • ferret@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  7 months ago

                  Reading the HSTS spec, it doesn’t work on first connection, and while most people are using websites they access more than once, that notably isn’t all web use.

  • elrik@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    7 months ago

    As others have mentioned, a trusted 3rd party signs the correct key so your browser can check the key itself.

    However, it should also be noted that your browser must have a list of trusted 3rd parties and their certificates used for signing in order to perform this check. It’s entirely possible to modify this list yourself. Some examples include:

    • executing your own MITM style “*attack” in order to intercept and analyze local https traffic
    • corporate network inspection and monitoring, where a gateway does the above for all devices on the network which have a CA cert pre-installed through some policy

    So while it’s possible for trusted 3rd parties to issue valid certificates to bad actors, it’s also possible to add anyone (you, your employer, or some bad actors) to the trusted parties list.

    • Huschke@programming.dev
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      7 months ago

      Add Norton to that list. They also perform their own MITM attack on your pc to ensure your certificates are “safe”…

  • Encrypt-Keeper@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    7 months ago

    So there are two things that certificates are for. You already understand the first one, which is the cryptography itself. You can use them to encrypt your traffic so that information sent over the connection is not in plain text.

    The second thing certificates do, is the answer to your dilemma. Identification. For your browser to trust a website’s certificate, the certificate has to be valid for that website. What makes a certificate valid? The certificate has to have been signed by a trusted Certificate Authority, and the name on the certificate must match the website you’re visiting. If you were to ask “What makes a certificate authority trusted?” The answer is that your web browser and/or operating system come preloaded with certificates for trusted certificate authorities. These special certificates were used to sign the certificate of the website you’re visiting, which is another thing your browser checks for. A malicious third party can’t (easily) obtain a valid certificate/key pair for a domain that they don’t own. If your browser was presented with a fake certificate from the malicious third party, it would not connect and would warn you that your connection isn’t secure and would explain why.

    Now if more specifically, you’re wondering that if a malicious third party takes any given website’s public certificate, can it use that to decrypt your session? After all, that public cert is signed and trusted. The answer to that, is that when a certificate is created, so too is a private key file created. This private key is never presented to the public, and it’s the only thing that can decrypt sessions that were encrypted by its paired public certificate. So that third party could install that certificate on a web server theoretically, but they wouldn’t actually be able to decrypt anything because they don’t have the private key for the legitimate certificate.

    So in order for a man in the middle attack like this to work, they’d have to obtain not only a legit websites public certificate, but also the corresponding private key. OR, the third party would need to get access to your PC, and install its own certificate authority signing cert, so that it’s fake, self signed certificates are trusted by your browser. Both of these are possible, but at that point you’re not talking about an unknown man in the middle, the man would have to compromise one of the two ends.

  • Mubelotix@jlai.lu
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    7 months ago

    It should also be mentioned that you can get a CA to sign your certificate just before your domain expires, so you can attack whatever website is going to buy your domain next

  • ZeroGravitas@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    Nevermind hackers. Look up “corporation in the middle” attacks, which is a prime example of subverting secure channels at scale.

    If you don’t own the hardware, nothing you do on it is truly private. Ditto if someone else has admin access to your hardware (eg BYOD scenarios) . Inserting a root certificate into the OS is trivial in both cases.

  • JakenVeina@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    7 months ago

    An additionap note on what a certificate is, to supplement everyone here who’ve desceibe howbthat’s the missing piece:

    A certificate’s first main purpose is being the vehicle vy which the public key is distributed, but additionally it contains information ABOUT the owner. Then the whole thing is digitally signed with the private key (and also a trusted CA’s private key), so that a receiver can validate the authenticity of the cert with the public key.

    The “info” in the cert can theoretically be anything, but the most important one is the domain. Your browser knows that visiting google.com is secure because it checks the cert it gets from google.com to see if it states that it owns the google.com domain, and then we trust the root CAs around the world to make clients prove they own that domain, before issung a cert for it.