Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I plan to run the logged-in portion of my app in HTTPS, starting with from the log-in screen. Once the user is logged-in and continues his session entirely in HTTPS, how could a MITM attack be performed? Isn’t this kind of attack dependent on figuring out what the two parties are saying?
I’m using asp.net with WCF services, and later will port to Azure.
Thanks.
If your login session is encrypted with HTTPS, then you’re secure against MITM attacks. The client will send data to the server encrypted using the server’s public key, which can only be decrypted with the server’s private key. The client and server will then use this secure channel to agree on a secret key to use for their communication.
The MITM attacker cannot get at the private key because it’s private. They can’t present a certificate for the target domain because certificates can only be obtained from a CA, and (theoretically) the CAs your browser trusts won’t sign a certificate for a domain unless they prove they own it. They can’t get at the session key, so a MITM attack is impossible.