| Forum Home | ||||
| PC World Chat | ||||
| Thread ID: 117257 | 2011-04-10 02:38:00 | RaboDirect MITM attack? | somebody (208) | PC World Chat |
| Post ID | Timestamp | Content | User | ||
| 1193358 | 2011-04-11 04:03:00 | They certainly can snoop - it doesn't matter who the 'proper' certificate is issued to, or who by. All that matters is that the traffic is passing through Akamai's servers, and Akamai runs a CA that is trusted by most browsers. This allows Akamai to transparently intercept all HTTPS traffic between the browser and RaboBank. But if the certificate was issue to rabobank, only rabobank has the private key to decrypt the contents. Its a bit more complex than that, but basically anything encrypted with rabobank's public key (from the certificate) can only be decrypted by rabobank's private key (which only rabobank has) Others will see the encrypted traffic stream, but they can't decrypt it. |
utopian201 (6245) | ||
| 1193359 | 2011-04-11 04:17:00 | But if the certificate was issue to rabobank, only rabobank has the private key to decrypt the contents. Its a bit more complex than that, but basically anything encrypted with rabobank's public key (from the certificate) can only be decrypted by rabobank's private key (which only rabobank has) Others will see the encrypted traffic stream, but they can't decrypt it.You're missing the point. Akamai doesn't need to do it that way, because they are a trusted CA - so instead of trying to decrypt an encrypted stream between the browser and RaboBank (which they obviously can't do), they hijack the connection setup. The way Akamai can do this is as follows: Browser does a DNS lookup for www.rabodirect.co.nz, and receives the IP of Akamai's cache server. Browser starts an HTTPS session with Akamai's cache server, using a certificate for www.rabodirect.co.nz created and signed by Akamai. This means that only Akamai's cache server and the browser can decrypt content from this session. Akamai's cache server looks at the request, and serves what it can from its own cache. For things Akamai doesn't have cached, it makes its own connection to the 'real' www.rabodirect.co.nz' website and retrieves those items, then forwards them on to the browser. As you can see, at no point in this process does the browser ever talk directly to the 'real' RaboDirect server - all communication is done directly between the browser and Akamai's cache server, using a certificate that Akamai controls, and therefore session keys that Akamai knows how to decrypt. The browser never sees the 'real' certificate; it only ever sees Akamai's one. |
Erayd (23) | ||
| 1 2 | |||||