Solved

How HTTPS works?

Posted on 2011-02-19
2
263 Views
Last Modified: 2012-05-11
As per my understanding.. Web server keeps the Private and Public key and distribute it's public key and all the clients who want to connect to it's web server.

So Web server uses it's private key for encrypt and decrypt the message to client.. whereas client uses *only* the public key of web server for encrypt and decrypt the message to web server.

I would like to know.. why client doesn't use it's own private key here? I believe in Public Key Infrastructure (PKI) both party needs to have their own private and public key pair to participate. Why the private key of client is missing here? Thanks!
0
Comment
Question by:beer9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 10

Accepted Solution

by:
cyberstalker earned 500 total points
ID: 34936121
The reason is that it is the client that needs to know if the server is who they say they are. You are not checking the identity of the user.

It is possible to set this up if you like. However, this only makes sense in, for example, a corporate environment where you need to make sure only certain computers can open your website, since you would need to set up a public key for the browser and add all the public keys to your webserver to verify them.
0
 

Author Comment

by:beer9
ID: 34936723
Thanks cyberstalker for your detailed explanation. I have one more concern.

In the web server and client interaction.. web server encrypt message with his private key which can only be decrypt using his public key and it is freely/openly available. So there is a chances that in man-in-the-middle attack hacker would capture the packet which web server sends to client and would able to decipher it using the public key of web server. So all the communication which web server sends to it's client is viewable by hacker.

So here the security is compromised, isn't it?
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question