0

For example, if I am using my personal laptop on a public wifi, and type in the website I want to go to that includes HTTPS, (lets assume https://www.google.com/gmail/) can I reasonably trust that I'm establishing a secure encrypted connection with that website? Can a man in the middle compromise that kind of connection? I encounter this type of scenario all the time at hotels that have open wifis without passwords, and I'm always nervous.

Devil07
  • 543
  • 1
  • 4
  • 10
  • Umm, that SSL question does not directly answer my question. First, it doesn't even mention man in the middle attacks. Second, it doesn't explain how SSL verification can prevent a man in the middle attack. Third, it assumes man in the middle attack can't fool the target into using a false public key to encrypt the connection, or some other vulnerability. – Devil07 Jul 30 '19 at 18:12
  • 2
    Yes it does. Did you even read the duplicate question? –  Jul 30 '19 at 18:51
  • @MechMK1 yes, twice, still waiting for the part where it explains how it prevents a man in the middle attack.Please point me to the line in that other question where it says it prevents man in the middle attack? I'm not a professional tech person, so I need someone to connect the dots, I still don't know what I'm supposed to assume about MITM attacks when reading that other answer. – Devil07 Jul 30 '19 at 19:24
  • If A asks B for public key, and M is "the man in the middle" and intercepts B's public key, and replaces it with M's own public key (criminals can have valid public keys/certificates too), then A can unknowingly establish an seemingly encrypted connection to M's site that appears to be B. The answer I was referred to seems to assume that everybody carefully reads all of the certificate information and digital signature. The answer in SSL Certificate framework 101, is great, but doesn't answer the question. – Devil07 Jul 30 '19 at 19:33
  • @bashcypher can you answer my question, you seem to know what you're talking about? – Devil07 Jul 30 '19 at 19:36
  • 1
    @Devil07 The answer on the other question *is* your answer. The certificate verification process. B's public key will not match the certificate verified by the 3rd party. – schroeder Jul 30 '19 at 20:18
  • Your comments also suggest that you missed the point in the answer that it's the *browser* that does all this verification and throws warnings when they do not match. It does not require that "everybody carefully reads all of the certificate information and digital signature" – schroeder Jul 30 '19 at 20:22
  • @schroeder, thank you for your explanation above. However, can't a MiTM attack also be interactive, where the MTM tricks or diverts user to a differnet site, where the 3rd party certificate does match? This has been my understanding of sophisticated MTM attacks, but maybe I'm being paranoid. – Devil07 Jul 30 '19 at 21:00
  • 1
    @Devil07 no because the HTTP message that would make the redirect request would only be sent after the TLS session has been established. See also: https://en.wikipedia.org/wiki/Transport_Layer_Security#Protocol_details – CaffeineAddiction Jul 30 '19 at 21:06
  • I guess maybe what I'm thinking about isn't a man in the middle attack, where person wants to go to www.bank.com, but ends up at www.bankk.com, and gets a valid certificate from www.bankk.com, but thinks they are at www.bank.com. If browser is diverted to bankk.com, the certificate will match bankk.com and if there is a MTM, who has the private key for bankk, then thats it, they can see that traffic. – Devil07 Jul 30 '19 at 21:07
  • @CaffeineAddiction what if the initial handshake occurs with an imposter website? As in www.bankk.com instaed of www.bank.com and MTM has the bankk.com private key? – Devil07 Jul 30 '19 at 21:17
  • That's redirection, not MitM. And the threat is exactly as you describe. That's not a problem to visit the site. Nothing is at risk. What *is* at risk is if you log in with bank.com's credentials. But this whole thing is a phishing scenario, not MitM or a TLS issue. – schroeder Jul 30 '19 at 21:29
  • @schroeder OK. So, as long as I can confirm that the correct URL is in the browser, and I'm on a trusted device, there is no risk of MitM attack, even on shady open networks. – Devil07 Jul 30 '19 at 21:46
  • and if it is using TLS, you have not installed a certificate for the network, and there are no certificate warnings, the risk is very low – schroeder Jul 30 '19 at 22:03
  • 1
    @Devil07 if the initial handshake occurs with an imposer website ... then it will be with a different certificate. Thus as Schroeder said it becomes a people problem rather than a protocol problem. If you don't check the url, you could very well fall prey to a fishing attempt. – CaffeineAddiction Jul 31 '19 at 14:31

0 Answers0