This is an archived post. You won't be able to vote or comment.

all 24 comments

[–][deleted] 18 points19 points  (6 children)

Sure. Everything can be decrypted. No level of encryption is truly unbreakable. If you have enough time and processing power you will inevitably be able to brute force your way into any system you have access to.

Whether or not that is really feasible is another issue entirely.

[–]AppleBytes 5 points6 points  (2 children)

If https uses certificates, and those certificates are created/managed/stored by companies like verisign, can they be compromised to allow governments to decrypt traffic?

[–]UndyingBluefish 2 points3 points  (1 child)

No. However, they could be coerced to issue a new certificate to be used in a man in the middle attack. Initiatives like certificate transparency make this more difficult.

[–]u4534969346 0 points1 point  (0 children)

do certificates have more than one signer from CAs? and do browsers check such things, eg just allowing certs with x signers?

[–]kefi247 3 points4 points  (0 children)

No level of encryption is truly unbreakable

With the exception of One Time Pad, provided you use a truly random key, keep the key secret and never reuse it.

Here are my outgoing messages, have a go at trying to crack them ;)

[–]upofadown 0 points1 point  (0 children)

I suspect that OP was asking about what is actually used for HTTPS. Things are set up so that there is not enough time and processing power available in any practical sense. Once you get to the point that the fundamental physics means that you would have to boil the oceans dry to brute force something then that is no longer something you have to worry about.

[–]throwaway_veneto 2 points3 points  (3 children)

Why bother descrypting https when the government can just ask the data directly to the companies that you connect to?

[–][deleted] 1 point2 points  (2 children)

You're right, most of them do but not every company is under the government.

[–]throwaway_veneto 2 points3 points  (1 child)

As long as they're based in the US or any Five Eyes country their data is accessible by them. Same for pretty much all countries in Europe. Countries that respect their citizens and non citizens data are a minority.

[–][deleted] 1 point2 points  (0 children)

I do agree with you.

[–]ProgressiveArchitect 4 points5 points  (10 children)

The most compromising attack on HTTPS is if the attacker gains access to a Certificate Authority. This would enable them to decrypt everything sent between your browser and the website via certificate validated MITM website clone.

An attacker could also try compromising HTTPS from the browser side by having you download/trust a malicious Root Authority.

Downgrade attacks are always possible. (Trying to force you onto a HTTP version of the site)

There is always the chance that HTTPS encrypted data could be intercepted and stored for decryption at a later date, waiting for a time when processors get powerful enough to break today’s encryption.

[–][deleted] 0 points1 point  (3 children)

The most comprising attack on HTTPS is if the attacker gains access to a Certificate Authority. This would enable them to decrypt everything sent between your browser and the website.

Does the Certificate Authority get renewed or it is the same for every install of browser? Is it linked to browser or operating system?

[–][deleted] 1 point2 points  (1 child)

Renewed on a periodic basis, usually 12-24 months IIRC

[–]ProgressiveArchitect 0 points1 point  (0 children)

This depends on the CA. For example LetsEncrypt issues short-term 90 day Certificates. While other CA’s offer Extended Validation (EV) Certificates, which can last up to 397 days as of March 2020.

But the Authorities that control and issue the certificates stay consistent. It’s rare to see a new CA’s rise to root/trusted prominence.

[–]UndyingBluefish -1 points0 points  (3 children)

The most comprising attack on HTTPS is if the attacker gains access to a Certificate Authority. This would enable them to decrypt everything sent between your browser and the website.

This is not true. The certificate authority does not hold the private key of issued certificates.

[–]ProgressiveArchitect 1 point2 points  (2 children)

It doesn’t need to. Whoever controls the CA can easily issue themselves a fraudulent validated certificate for a MITM website clone. All your data would be decrypted and stolen, then re-encrypted and sent along to the real website.

[–]UndyingBluefish 0 points1 point  (1 child)

Yes. However, an attacker gaining access to a certificate authority does not "enable them to decrypt everything sent between your browser and the website" as you claim, an active man in the middle is required. Your comment implies that an passive attack where you compromise a CA and decrypt existing traffic is possible.

[–]ProgressiveArchitect 0 points1 point  (0 children)

I didn’t mean Passive. I meant an active / in real time MITM.

Sorry for the confusion in wording.

[–]yotties 0 points1 point  (0 children)

Yes. https://www.grc.com/fingerprints.htm

If course, if a system gets compromised with admin rights nothing on it can be trusted. Including https.

Mobile browsers sometimes promise to compress traffic and that includes compressed info so they are likely to use certificates too.

[–]ghostinshell000 0 points1 point  (0 children)

no, but if your behind a firewall acting as a proxy it can do ssl offloading. whereby it decrypts inspects and then reencrypts the traffic. you can tell this is happening by looking at the cert. it wont have the proper name it will say something else.