Best IT Recipes

Is an HTTPS connection secure without a valid SSL certificate?

I am using an HTTPS connection without a valid SSL certificate. Is the connection secure? Is the information encrypted?

+46
ssl-certificate
05 Oct 2018-10-10
source share
6 answers

The connection is encrypted even if the SSL certificate is invalid (expired, snake oil, untrusted CA, etc.). Checking the SSL certificate simply ensures that you are connecting to the people you think you are connecting to. Encryption does no good to you if the people decrypting your data are crackers instead of PayPal.

+51
Oct 05 2018-10-10
source

In fact, you can establish an encrypted connection between completely strangers without a certificate using Diffie-Hellman exchange algorithms or similar keys.

Alice and Bob agree to a random number x. Alice calculates x a where a is a large prime known only to Alice and sends it to Bob. Bob calculates x b and sends it to Alice. Alice calculates (x b ) a and Bob calculates (x a ) b . Since (x a ) b = (x b ) a = x ab, Alice and Bob now know the number x ab and can use it as an encryption key. The beauty of this is that Bob does not know, Alice does not know b, and any eavesdroppers do not know a single number (since it would take years to calculate a from x a in the case of large numbers).

As the supercard emphasizes, this in itself is still subject to a man-in-the-middle attack, and therefore at least one end of the transaction must be authenticated using a certificate. To be precise, this is not a server that checks this, it is a browser, and most browsers will allow the user to continue if the certificate is invalid (or possibly even junk). In this case, the connection will be significantly safer than a regular connection. To listen, you will need to be able to manipulate IP routing or DNS lookups, and you will need to configure it before the connection is made, which is not easy to do.

By the way, the key pairs in not certificates used to encrypt actual traffic; they are used to create a new one-time key for a much faster symmetric cipher (like DES), which then does the rest of the work.

+22
Mar 28 '13 at 3:04 on
source

If SSL certificates were not checked, then someone who intercepted the communication channel could grab a connection request to https://www.acmebank.com , send his own request to www.acmebank.com and negotiate with keys like with acmebank .com, and with the user. After that, he can receive every piece of data from the user, decrypt with the user key and encrypt with the acmebank key, and also make data from the acmebank.com website. The net effect would be that neither the user nor acmebank would see something wrong, but the interceptor will be able to decrypt all the data between the user and acmebank. The user and the bank will use different keys to process their message, but not one of them will know about it. Adding any standard aspect to the protocol to find out which key is used would not help, since the interceptor could detect such requests and modify the responses accordingly.

SSL prevents a man-in-the-middle attack by requiring the host to send a copy of a key to the recipient that uses the host, encrypted in a form that the attacker could not fake (unless the attacker could at least fake CA credentials). If you do not use a certificate issued by a CA, protection against a man-in-the-middle attack will be slightly protected, although the encrypted level will prevent passive or retrospective decryption of the session contents (BTW, I would like to have some standards for something between unencrypted communication and SSL, for situations where passive or retrospective decryption is the main threat, but I don’t know anything).

+9
Oct 05 '10 at 15:40
source

No more worries about invalid ssl certificate. Now you can generate a free valid browser certificate for your server as easily as you create a snakeoil certificate (self-signed, browser invalid). Go https://letsencrypt.org/ for free and open for contributions.

+4
Jan 07 '16 at 10:13
source

Nope. What you do when using HTTPS tells the browser to connect through a different port (443), whereas usually you connect through (80). Without a certificate, the server will refuse to connect. HTTPS is simply not possible without a certificate. Look here and you will see a certificate to make it work.

+2
Oct 05 2018-10-10
source

It is possible to establish an encrypted connection, yes, but still it would be possible that you are talking to a cracked cpmputer instead of a real server. Thus, a cracked computer tells the server that it will be a client, decrypts all the data, saves it and sends the encrypted data to the client (and tells it that it will be the server). Thus, it is simply a secure connection if there is no weak point between the server and the client, which no one can guarantee.

0
Apr 08 '14 at
source


More articles:


All Articles