2

So as far as I know, when you go to a https enabled website, all the data you send to that server will be encrypted with their public key, and only the server holding the private key will be able to decrypt it.

BUT, what about the data downloaded from the server - incoming traffic? E.g. if someone could intercept incoming traffic from an https-enabled website to my computer, could they see all of the data I am downloading?

adrian7
  • 213
  • 3
  • 7
  • 3
    Only the session setup is encrypted with public key (asymmetric) cryptography. During session setup the 2 parties negotiate symmetric keys and application data is always encrypted with these keys for the rest of the session – Owen Jun 25 '15 at 19:19

4 Answers4

8

An HTTPS connection encompasses both directions; server->client data is encrypted just like client->server data is.

The private key is important in securing the session key setup, and the session key is used by both sides to encrypt the conversation.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • thanks for the quick answer. I am definitely a lazy person :P since I am sure this is explained in the RFC. – adrian7 Jun 25 '15 at 19:18
  • 1
    Theoretically , i would agree that this can guarantee the confidentiality of the data, but there are many ways an attacker could discover the website you are accessing ( e.g watching your DNS requests, ISP logs) so while they can't see things like your password or info account you can not assume that HTTPS prevents someone to discover the site you are visiting, and that may be enough in some scenarios. – Freedo Jun 26 '15 at 00:37
3

short answer: yes

long answer: when using https everything is encrypted, when using http nothing is and you can do both in the same web page. most browsers warn about unsecure content in secure pages, but there is nothing to stop you from putting secure resources in unencrypted pages. It used to be common to use secure forms (that posted to secure pages) on unsecure pages, but there was not a reliable way to show this so this did not last.

hildred
  • 449
  • 1
  • 4
  • 9
1

An HTTPS connection is encrypted in both directions. Your download will be encrypted if it is over a HTTPS connection.

Keep in mind that while the connection to the website may be encrypted, the download link may not be. Check the URL of the download, if it starts with https:// it is encrypted.

By the way, HTTPS is HTTP over SSL. Read how it works here: How does SSL/TLS work?

ztk
  • 2,247
  • 13
  • 22
1

When SSL is established, a symmetric key is established that is use by both sises (client and server) to encrypt traffic.

So to answer your question, no, they can nott simply "see" inbound traffic.

user1639473
  • 121
  • 1