DEV Community

loading...

Discussion on: Lab: How does SSL work?

Collapse
zenulabidin profile image
Ali Sherief Author

Hi there,

A forged message will not abort the connection.

If an attacker can intercept the public key of the certificate, then they can send spoofed messages to the client pretending that they are the server (man-in-the-middle attack). An attacker would have to make their own socket with their IP address and port in order to do that. That how they can trick the client in the first place. It only needs the public key (EDIT: and private key). In practice this doesn't happen with newer SSL versions, especially TLS 1.3, because they use strong ciphers.

In the post when I said "the connection is aborted", I should have made it clear that only browsers do that. For example, the SSL errors you see in Chrome are a manifestation of this.

Collapse
schollii profile image
schollii

Isn't the public key of the certificate findable by anyone?

Thread Thread
zenulabidin profile image
Ali Sherief Author

Yeah, sooner I realized this and I meant to say public key and private key, but I was out sick the past few days so I couldn't edit my articles.