As I understand, when I log on to a website via HTTPS, the public keys are shared in the beginning of the conversation. I have read around the internet is that if a MITM manages to read the entire conversation from the start, he can decrypt the packet and read the information. What I'm wondering is why do keys have to be shared with each connection? Why doesn't the browser keep the websites key for later use (I'm supposing it doesn't because I can't find anything that says it does)
1 Answers
Simply put, Most of the time there are no 'keys' to share. The thing the web server and browser exchange is much closer to nonce than keys. Its just used to encrypt the second level 'symmetric' encryption key used for the rest of the transmission (since Public / private cryptography is very expensive, and I use symmetric for ease of explanation. I know its more complex)
The problem you have is that initially you have no common grounds to start a secure session with (no encryption base that is shared only between you and the server), so we have to use a complex and 'expensive' process to set up something that is shared only between browser and server.
As to why does the browser not keep the connection open, this is part history, part how browsers work. Luckily for newer browsers and servers we have spdy, spdy allows a smarter reaction by allowing to keep https connection open for longer (and reuse the connection for as long as possible) and even preemptive supply data the server already knows the client is going to need (like the css files attached to a specific html file.)
- 8,336
- 1
- 27
- 43