0

I have a doubt on https connection -

In TLS/SSL handshake, browser/http client requests to server. Server responds with digial certificate. That means any one can get digital certificate.' This way a hacker can get a valid digital certificate, this digital certificate hacker can put in his server and use for successful https connection with browsers pretending his server is the valid server.

Can anyone please explain what actually happens here?

malik mohamed
  • 1
  • 1
    No, the hacker can't do anything because he still doesn't own the private key related to the certificate. Read any SSL introduction to learn more about it. – Eugène Adell May 01 '20 at 06:22
  • The point you are missing is that the client does not accept arbitrary "valid" certificates but that the subject of the certificate must match the domain the client tries to access. Only the domain owner should be able to get such a certificate from a publicly trusted CA. – Steffen Ullrich May 01 '20 at 06:47
  • Another point you are missing is that the server has to provide a digital signature signed by the private key that goes with the public key in the certificate: only the guy who really owns the certificate can do that. – user207421 May 01 '20 at 09:36

0 Answers0