HTTPS – Does it prevent men-in-the-middle and XSS?

February 25, 2017 , , , , ,

Now that you’re already informed about the advantages of HTTPS and why you should do it, let’s drill down to the specifics of how a SSL encrypted connection can protect your website, your users and your server.

What is a men-in-the-middle attack?

A MITM attack is when the attacker sniffs, relays and likely changes the communication between two network entities who believe they’re communicating directly with each other. This attack is extremely common and can be used to steal cookies, passwords and other sensitive information.

How can I prevent it?

Using HTTPS can immediately make things a lot easier. The secure connection with authentication is based on a public/private key pair: When a certificate is installed, the browser used the public key to encrypt the information and send it to the server. On the other side, the server can decrypt it because it has the private key. The authentication is issued by a Certificate Authority (like Symantec).

Because of this, even if the attacker is in the middle sniffing your network and trying to get something, all he’s going to see are encrypted packets.

Is it unbreakable?

Not exactly, but it’s not easy: men-in-the-middle attacks over HTTPS connections can only be achieved if the concepts of SSL are broken somehow:

  • The user voluntarily trusted an untrustworthy certificate.
  • The server private key has been stolen – This means the attacker can put himself in the middle and pretend he’s the server, decrypting your data.
  • For some reason, the client is not verifying the authenticity of the certificate authority and doesn’t bother with checking if it’s a valid Certificate Authority.

What about XSS (Cross-site scripting)?

We’re talking about different things: SSL encrypts the connection between the browser and the server (and avoiding sniffing of the transferred data) and XSS is a vulnerability of your website code, so just because you encrypt the connection, doesn’t mean that what goes inside is safe. We’re talking about different things that need different approaches.