Search code examples
sslhttpshandshakeman-in-the-middle

Can a "man in the middle" attack on an https READ all the communication?

If the attacker does the MIM attack before the handshake and whatch it being done, get both public certificates and act just as a listener.

Instead of trying to act as one of the parties, just read all the communication to get useful information like JWT tokens and other informations about what the user is doing on that site.

Given that the attacker will be able to intercept the certificates before the connection goes secured, it can open all the packets after the handshake is done, I am wrong?

Is that possible?

Solution

  • Yes and No, it depends on some other elements in game...

    The answer is YES in the case where there's no SSL certificate!

    How?

    Let's consider the classic case where the 2 peers are Alice and Bob trying to communicate via HTTPs.

    The MITM can get only the public key from Alice and Bob. Not the private keys. Even in the original situation, Alice can only encrypt information to Bob using Bob's public key and Bob can only encrypt information to Alice using Alice's public key.

    What a "smart" MITM would do is to REPLACE the public keys that are delivered in the channel for each pair. In other words: Alice sends the key that Bob is supposed to receive. The MITM will intercept this key and not deliver it to Bob, but instead, he/she will replace by its own key (let's call the hacker key) and then deliver to Bob this hacker key.

    The same thing above will happen in the other direction with the key that Bob is supposed to send to Alice.

    Well... now both Alice and Bob received a hacker key and they THINK the key is the original from the other peer (because there is no certificate), but the original is kept by hacker. Do you see? The hacker can just receive information from one of the sides and decrypt (because it was encrypted with the hacker's public key) and then re-encrypt with the original public key of the other side. Simple like that!

    ... BUT the answer is NO if there is an SSL certificate.

    Why?

    Because certificates exists exactly to solve this problem described above. It means, the public key coming from Alice/Bob can be verified by digital signatures if they in fact belong to Alice and Bob, so, if they are using an SSL certificate Alice and Bob are able to detected that some MITM swapped the original keys. How this works is out of scope of this question, but "as a short answer" both sites will have third-party certificates "pre-installed" that can be used to validate the authenticity of the public keys being exchanged.