0

I know that certificate validation is done by browser by validating the signature on the certificate adnd verifying it has been signed by trusted CA.

But what if I want to make man in the middle attach, by changing the server certificate sent to the client, send my fake certificate with my public key so that I can decrypt the traffic sent to me by the client, and copy-paste the original certificate signature "which had been signed by a trusted CA"?

Is the original server public key is used by the CA to generate it's signature?

Hopefully, I need some detailed material to understand about the entire public cryptography and SSl process

Thanks

KimoAnalyzer
  • 21
  • 2
  • Welcome to SO, please read [tour] and [ask]. This is a site for specific questions, not "getting started" or training or tutorials. You will need to do a web search and read sites like wikipedia to learn how SSL certificates work, and how man in the middle attacks work with HTTPS connections. You might also want to search for discussion forums or chat rooms where you can talk about this with other people. – Dave S Oct 27 '19 at 18:22
  • You cannot change just the public key, then copy-paste the original signature, because the signature covers the entire certificate -- it wouldn't match your modified certificate. What you could do (and what *is* done by some authorities) is install a "trusted" CA under your control, and use it to produce new certificates, giving the user the illusion of a trusted connection that is in fact snoopable by whoever handed out the replacement certificate. Certificate pinning (embedding particular certificates and refusing the connection if it doesn't match) is a defense against this. – Jeroen Mostert Oct 27 '19 at 18:24
  • 1
    This is more on-topic at [security.se]. It there are already questions similar to this, like [Why is faking SSL certificate difficult?](https://security.stackexchange.com/questions/11832/why-is-faking-ssl-certificate-difficult). – Steffen Ullrich Oct 27 '19 at 19:03

1 Answers1

0

The signature would be invalid because the key was changed.

To do what you want to do requires the certificate authority to sign your certificate instead. A certificate authority won't, because their reputation will plunge.

Remember StartCom?

Jeroen3
  • 919
  • 5
  • 20