惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
W
WeLiveSecurity
O
OpenAI News
N
News and Events Feed by Topic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
云风的 BLOG
云风的 BLOG
N
News | PayPal Newsroom
H
Hacker News: Front Page
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
The Last Watchdog
The Last Watchdog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Schneier on Security
宝玉的分享
宝玉的分享
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Y
Y Combinator Blog
Cyberwarzone
Cyberwarzone
Microsoft Security Blog
Microsoft Security Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
GbyAI
GbyAI
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
人人都是产品经理
人人都是产品经理
P
Palo Alto Networks Blog
M
MIT News - Artificial intelligence
G
GRAHAM CLULEY
C
Check Point Blog
Apple Machine Learning Research
Apple Machine Learning Research
Last Week in AI
Last Week in AI
T
Troy Hunt's Blog
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
量子位
博客园 - 聂微东
S
Securelist
博客园 - 三生石上(FineUI控件)
F
Full Disclosure
G
Google Developers Blog
L
LINUX DO - 热门话题
P
Proofpoint News Feed
AI
AI
PCI Perspectives
PCI Perspectives

ashishb.net

A day in Luxembourg - the richest country in the world I was asked to install malware during a fake interview Book summary: Breakneck - China's quest to engineer the future by Dan Wang Book summary: How to Teach Your Baby to Read Book Summary: The Discontented Little Baby Book by Pamela Douglas Introducing Amazing Sandbox - run third-party tools and AI agents securely on your machine Why software outsourcing gets a bad reputation? Book summary: The Natural Baby Sleep Solution by Polly Moore A day in Antwerp, Belgium Journey of online influencers Two days in Brussels, Belgium Shortcuts - when we love them and when we don't A visit to Rakhigarhi Three days in overhyped Paris Empty Japan, crowded Tokyo The real lock-in in GitHub is not the code, but the stars 11-day Norwegian Breakaway East Caribbean cruise Sanskrit and Sri Lankan Air Force Use REST with Open API The Achilles heel of American capitalism Costa Rica in 4 days At a juice stall in Sri Lanka A short stay at Warsaw, Poland Best practices for using Python & uv inside Docker Two days in Vilnius, Lithuania How IntelliJ IDEs waste disk space Pregnancy Why there aren't many digital nomads from India Two days in Riga, Latvia To keep your machine secure, run third-party tools inside Docker Family Ties in Your DNA: Some relatives are closer than others Doctors per capita Two days in Tallinn, Estonia Ship tools as standalone static binaries Made in America Two days in Helsinki, Finland Maintaining an Android app is a lot of work The land of good deals Two days in Oslo, Norway FastAPI vs Flask performance comparison Google Search is losing to Perplexity Two days in Dublin, Ireland Continuous integration ≠ Continuous delivery World's simplest project success heuristic London in 5 days It is hard to recommend Python in production Inflation, IRS, Credit cards, and Vendors Temu and the Chinese approach Things to do in Miami Florida Revenue vs Cost Axis Language learning as an adult The unanchored babies of the green card limbo Price variance in the United States A day in Louisville, Kentucky A surprisingly positive experience with Air India Unhospitable Airports Android: Don't use stale views USA = Union of Sales and Advertisement A day in Nashville, Tennessee Minimize Javascript in your codebase A day in Birmingham, Alabama In defense of ad-supported products Real vs artificial world The science behind Punjabi singers Hiking Mt. Fuji The Indian startup bubble is insane Repairing database on the fly for millions of users Book Summary: One up on Wall Street by Peter Lynch It is hard to recommend Google Cloud At the Prague airport Kyoto in three days Migrating from WordPress to Hugo Book summary: Sick Societies by Robert B. Edgerton Statistical outcomes require statistical games Illegal immigrants to Europe via Cairo Tokyo in three days Mobs are Status Games Writing Script matters as much as the spoken language Sri Lanka in 5 days LLMs: great for business but bad business Book Summary: Safe Haven by Mark Spitznagel Mac shortcut for typing Avagraha symbol On a bus with an asylum seeker Nicaragua in 5 days When to commit Generated code to version control Why I always buy a local SIM in a foreign country Use Makefile for Android Four days in Guadalajara, Mexico Android Navigation: Up vs Back Hotels vs Airbnb vs Hostels Currency issues in Argentina Abstractions should be deep not wide Some data on podcasting Always support compressed response in an API service A day in El Calafate - Patagonia, Argentina Hermetic docker images with Hugging Face machine learning models American Elections The sound of "ch" API services should always have usage Limits Hiking in El Chaltén - trekking capital of Argentina
Is HTTPS secure?
Ashish Bhatia · 2010-09-21 · via ashishb.net

We all use HTTPS and vaguely understands it as a more secure form of communication. This article is aimed at better understanding of HTTPS and how secure it is.

How HTTP works

  1. The client sends the request for example.com
  2. After getting IP address and making a further request to IP address, client gets a final reply, Hi, I am example.com, and this is the data you asked for [the homepage] The client blindly trusts that the other party is genuine example.com and no one else impersonating it.

Client Server communication

Two major problems with HTTP

  1. Eavesdropping - Eavesdropping can be done by anyone who has access to the medium. For example, if you are in a company who has taken a connection from BSNL. Then data transmitted from your system to example.com through company’s router(s), ISP (say BSNL) router(s) and following a long-chain of routers finally reach example.com. Any of these routers can be utilized for eavesdropping on the data being transmitted.
  2. Man-in-the-middle Attacks - DNS translates Domain-names to IP addresses. So, a maliciously configured DNS can route example.com to IP address of an evil server which talks to a client on one side and (say) example.com on the other. In plain HTTP implementation, there is no way of verifying whether we are communicating with real example.com or a fake one.

How HTTPS works

  1. The client sends a request for https://example.com
  2. After getting IP address and making a further request to IP address, the client gets a reply. Hi, I am example.com, My public key is d9 27 c8 11 … It is certified by (say) Verisign Inc. [and a lot of other things like when it expires etc.]
  3. The browser verifies[pdf] the key to ensure that it is issued to example.com and is not tempered.
  4. Then it uses this public key to encrypt a secret key and sends the secret key(encrypted) to example.com. This key will be used for encrypted communication using symmetric key encryption.

How HTTPS solves the problems

  1. Eavesdropping is solved since the communication is encrypted before transmitting any sensitive data (say username/password to example.com)
  2. Man-in-the-middle is solved if and only if we trust the certifying authority(CA), eg. Verisign for the verification. (Here is an underlying assumption that HTTPS algorithm is not breakable and its implementation is not having any flaw)

So, the safety of HTTPS primarily reduces to how trustable are the Certifying Authorities [which our web browser recognize] “Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Websites. Safari and Firefox now trust more than 60 separate certificate authorities by default. Microsoft’s software trusts more than 100 private and government institutions.” [/source]

Now, as EFF has pointed out that how big a mess is this certification process especially since a few certifying authorities have delegated their task of certification to some not-so-trustable companies like Etisalat, UAE.

So, for example, if someone sitting in Dubai or now even in India accesses the Internet through the network owned by Etisalat, who once installed spyware and copied emails of all BlackBerry customers to private email addresses. The routers can redirect a person visiting example.com to a malicious look-alike website and since it shows a valid certificate with its own public key not the actual public key of example.com. It will appear genuine and will not raise any flags in the browser. As pointed out, Commercial products based on getting forged certificates already exist.

Note:

  1. For the paranoids, there is a Firefox addon which warns the user if a website presents a certificate different from last time.
  2. The ideas presented are simplified for the sake of understanding, the actual implementation are more involved but based on the same ideas.