Discussion Forums > Technology

Can ISPs see the full adress you put into the adress bar?

<< < (5/5)

Pentium100:

--- Quote from: kitamesume on August 24, 2012, 08:19:07 PM ---then wouldn't the ISP be able to easily launch an MiTM attack? since they're practically [client <====encrypted====>ISP<====encrypted====>server]
wouldnt it be more secure to transfer the files physically then?

--- End quote ---

Yes, physically transferring files can be very secure.

Now, about SSL and MITM. Every SSL server has a certificate that is issued by "trusted authority" - this can be a company like Verisign or an internal CA (if the service is only available internally and not to the general public). Basically the certificate states "Authority X verifies that the public key of somebank.com is 12345", so, it has both the name and public key. When the client connects to the server, the server provides its certificate and the client takes the public key from it and uses it to encrypt what it sends to the server (actually it is a bit more complicated, what I am writing here is the TLDR version). The server decrypts that using its private key (which is, as the name says, kept private and not transmitted anywhere). If you capture the data, there is no way to decrypt it without the private key.

Now, if the ISP tries to disguise itself as the server, it needs to provide a valid certificate. It cannot copy the certificate that the real server sends because it does not know the private key of the server, so it needs a new certificate. The "trusted authority", like Verisign, should not issue a certificate that allows the ISP to disguise itself (if it does, it soon becomes "no longer trusted"). So, the ISP can:
1. Issue the certificate themselves (called a self-signed certificate) - the client will not trust it most likely and the browser will display an error message.
2. Use a certificate issued by the trusted authority but for different name - the certificate will be seen as invalid and the browser will display an error message.
3. Hack the real server and get the private key - the bank will most likely be a bit upset by this, also, a certificate can be revoked (just like a stolen bank card).

VPN can be made even more secure by only trusting your own CA - then even if the ISP manages to persuade Verisign to issue a fraudulent certificate, the client still won't trust it.

Navigation

[0] Message Index

[*] Previous page