Say Alice wants to open up an HTTPS connection to Bob through a proxy named Earl.
What prevents Earl from reading alices request, opening a connection pretending to be bob, and then opening a https connection with bob pretending to be Alice , and snooping on the traffic as it passes through ?
Certificates and four-way handshakes.
The handshake is done in a way that nobody could intercept it. Both parties have undisclosed secrets.
The certificate is signed by a trusted authority, which can be verified with a certificate from the authority who signed it. Nothing can be forged without private keys, which are never transmitted.
My company uses a proxy which breaks end-to-end encryption and intercepts/forwards everything without either end party being aware. This is done by manually installing an authority certificate on every client in the office, and the server dishes out forged certificates for every connection. The clients explicitly trust the forgery.
This is why I prefer to work from home, with a personal PC next to me on my own network. I refuse to browse the web on company hardware.
Oooh that makes alot of sense, thanks and thanks everyone. So https cant be used for peer to peer , you need a server with a certificate from a trusted authority…
Right. You’ll get a warning otherwise. If you’re setting up a lab for yourself, though, you can set up your own trusted authority and use that to issue certificates and it ends up very much like
within your lab.