• 0 Posts
  • 7 Comments
Joined 11 months ago
Cake day: November 10th, 2023
  • CyberSeeker@discuss.tchncs.detoSecurity@lemmy.mlA doubt in encryption
    18·
    5 months ago

    For encryption, the client and server need to share their private keys.

    This is incorrect, for asymmetric (public-private) encryption. You never, ever share the private key, hence the name.

    The private key is only used on your system for local decryption (someone sent a message encrypted with your public key) or for digital signature (you sign a document with your private key, which can be validated by anyone with your public key).

    For the server, they are signing their handshake request with a certificate issued by a known certificate authority (aka, CA, a trusted third party). This prevents a man-in-the-middle attack, as long as you trust the CA.

    The current gap is in inconsistent implementation of Organization Validation/Extended Validation (OV/EV), where an issuer will first validate that domains are legitimate for a registered business. This is to help prevent phishing domains, who will be operating with TLS, but on a near-name match domain (www.app1e.com or www.apple.zip instead of www.apple.com). Even this isn’t perfect, as business names are typically only unique within the country/province/state that issues the business license, or needed to be enforced by trademark, so at the end of the day, you still need to put some trust in the CA.