this post was submitted on 18 Oct 2023
17 points (90.5% liked)

Programming

17537 readers
273 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 2 years ago
MODERATORS
 

Say Alice wants to open up an HTTPS connection to Bob through a proxy named Earl.

What prevents Earl from reading alices request, opening a connection pretending to be bob, and then opening a https connection with bob pretending to be Alice , and snooping on the traffic as it passes through ?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 20 points 1 year ago* (last edited 1 year ago) (3 children)

Certificates and four-way handshakes.

The handshake is done in a way that nobody could intercept it. Both parties have undisclosed secrets.

The certificate is signed by a trusted authority, which can be verified with a certificate from the authority who signed it. Nothing can be forged without private keys, which are never transmitted.

My company uses a proxy which breaks end-to-end encryption and intercepts/forwards everything without either end party being aware. This is done by manually installing an authority certificate on every client in the office, and the server dishes out forged certificates for every connection. The clients explicitly trust the forgery.

This is why I prefer to work from home, with a personal PC next to me on my own network. I refuse to browse the web on company hardware.

[–] hascat 6 points 1 year ago

I refuse to browse the web on company hardware.

This should be the default no matter the policy the company has in place. I wouldn't trust an employer to not spy on my online activity.

[–] [email protected] 2 points 1 year ago (1 children)

Oooh that makes alot of sense, thanks and thanks everyone. So https cant be used for peer to peer , you need a server with a certificate from a trusted authority...

[–] [email protected] 1 points 1 year ago

Right. You'll get a warning otherwise. If you're setting up a lab for yourself, though, you can set up your own trusted authority and use that to issue certificates and it ends up very much like this within your lab.

[–] RonSijm 1 points 1 year ago

I refuse to browse the web on company hardware.

There are tools that you can use to scan whether there are no root certificates (from your company) are injected into your certificate store, if that's what you're concerned about.

But yea, even if I get company hardware, I still just do a clean OS install