Why SSL Certificates are meaningless on public computers…

You’re probably used to thinking that if you see that green lock icon in your browser, you’re safe.

Well, I’m here to tell you why you’re wrong, so let’s get started.

Keyloggers

In case you don’t know what a keylogger is, it’s more or less just a program that tracks everything you type. It sounds scary, but if you’re using Windows, you probably have the default Microsoft one built in, so thank you Microsoft :). Anyways, there’s no point to that green lock icon, if the local system admin can just see all your passwords. That’s not the scary part, the scary part is what if that information gets leaked onto the internet! Now, you have to change all your passwords, even though you saw that green lock.

Man In the Middle Attack

A man in the middle attack, or SSL decryption, as NerdOfCode claims its called(both are correct, I prefer the first one), is when someone is sitting in between your computer and the server you’re communicating with. This is quite easy to do on a normal HTTP session, but what about TLS(or SSL as you probably call it)? You can still sit in the middle, decrypt all the information, re-encrypt it and send it to the client. That takes care of the encryption, but what about the integrity and verification?

Well, TLS also verifies that the data was not tampered with during transit, and they also require a valid SSL certificate. This SSL certificate must be issued by a trusted party, or else you’ll see that big, red scary warning that this site is not secure. I think self-signed certs are a step above HTTP, or at least equal, but that’s for another post. Anyways, if the man in the middle proxy thing re-encrypts the data, because of how the keys work, it can’t be signed the way it was before, so it’s signed with a different key. Won’t the browser notice? It does, but nothing is stopping the system admins from marking their own certificates as valid.

Conclusion

While on a public Wi-Fi network on your own device, it’s pretty hard to hack HTTPS. But, when on a public computer, don’t log into anything, unless you’re confident that your two factor authentication is strong enough.

Leave a Reply(Markdown is On)