this post was submitted on 18 Oct 2023
17 points (90.5% liked)

Programming

17538 readers
273 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 2 years ago
MODERATORS
 

Say Alice wants to open up an HTTPS connection to Bob through a proxy named Earl.

What prevents Earl from reading alices request, opening a connection pretending to be bob, and then opening a https connection with bob pretending to be Alice , and snooping on the traffic as it passes through ?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

The security of HTTPs relies on public key certificates.

I recommend reading up on it here: https://en.m.wikipedia.org/wiki/HTTPS#Overview

Especially the part after this segment:

Web browsers know how to trust HTTPS websites based on certificate authorities that come pre-installed in their software.

[–] [email protected] 1 points 1 year ago (1 children)

Great explanation indeed!

I was missing this part from my understanding:

The certificate correctly identifies the website (e.g., when the browser visits "https://example.com", the received certificate is properly for "example.com" and not some other entity).

In a sense it all comes down to a CA (e.g let's encrypt) not giving out certificates for your domain, so that only your server has a valid certificate for your domain and not also some attacker.

But that itself requires domain verification to be secure (robust against MITM attacks), which apparently it wasn't for the longest time.

Just recently there was a post about ACME-CAA, which addresses this issue (when configured). Great article on it here: https://www.devever.net/~hl/acme-caa-live

[–] [email protected] 1 points 1 year ago

Yeah, pretty much. If you control the DNS you can do whatever