Is the data sent from web server to browser is really more secured in https than http?

Question

I was just reading about the differences between http and https briefly. And what I have not understood is the following possible scenario:

Everyone has SSL public key right?

So, anyone can get the public key from a web server and then use it to decrypt the messages sent from the web server? This way, if the web server sends any secret information, the intruders can know that, right?

I understood that private key is with the web server, so only the web server can decrypt the encrypted message (using public key) send by the browser. And so the data sent from the browser is secured. But I doubt if the data received from the web server is really secured.

Or let's say if the public key changes from user to user. But the intruder can hack it when the browser sends it for the first time right?

Please correct me if I understood it wrong.

EDIT: Okay, I think I get it from the description provided by the questioner in this link:

How does SSL work? Isn't there a hole?

It says:

When Client connects to company.com on its SSL-secured port, the company sends back its public key (and some other information, like what Ciphers it supports). ... Once the client is happy with the server (and the server with the client, if needed), then the client choose an SSL Cipher to use from the list of encryption methods provided by the server, and generates a “symmetric key” (password) for use with that Cipher. The client encrypts this password using the server’s public key and sends it back to the server. The server (and only the server) can decrypt this message and get this password, which is now shared by both the client and server.

It means that the client won't encrypt just with the public key he has, but uses a password that he generated (symmetric key) which will be shared with the web server using the public key encryption. And only the web server can know the password shared by the client, as only he owns the the private key part. So, both the web server and the client uses the symmetric key to encrypt messages, which no one knows or can intrude.

Am I right?

Answer 1

I think you are getting a better idea, but think of it this way. Encryption tends to use a public key and a private key, both are used to unlock it and the only one that is known is the public key. The private key tends to be stored with the SSL certificate, so no one knows the key used to decrypt the messages. This secures the messages going both ways, and unless using a vulnerability, it's impossible for someone to tell what is being sent back and forth. Vulnerabilities tend to involve malware or a fake SSL certificate, but you can google that to find out more about those kind of issues.

What i think you should also know, is that encryption isn't full-proof, and can be broken depending how strong the key is. A good example is the SuperFish (i think that's the right name) that Lenovo was involved with a few months ago, they were using an SSL Certificate that would override the certificate for other websites. This just means it was using their SSL certificate for secure access to various sites, but the problem was the private key had an easy to guess password. They didn't have to break the algorithm, because the company used the company name for the password (komodia). Now any computer using those superfish certificates were no longer secure, as anyone could decrypt the messages and see what information was being sent back and forth. The only obstacle would be to get access to the traffic, but that's another topic.

That isn't common, but most sites use strong keys that can take many tens to hundreds of years before it's broken (without having the password). If you want to know about what makes the certificates strong or not, you can google that as well. Does that clear up any other confusion?

Answer 2

HTTPS is the higher version of HTTP, it specially created for Secured Transaction between Client and Server. This Connection works on either SSL or TLS Communication Protocols and both the Protocols uses Asymmetric Public Key Infrastructure System. An Asymmetric System uses two keys (public/Private) for encrypt/decrypt Data. When a Client Request for a Page to any Server Sends two things with Response to the Client - which are a Public Key and a Certificate, whenever again communication is done on this channel at that time Server Encrypt/Decrypt Data using Private Key and Browser has its Public Key to Encrypt/Decrypt Data.

You have Question that is it possible to Hack these Keys?

In my Opinion, It is Possible.

At this time there are a lot Algorithms to Encrypt and Decrypt Data/Keys. For Example take an Algorithm SHA which has many versions and Improving itself day by day. For more information about SHA3 visit this Link. So if Intruder Hacks the Public Key but it is not possible to Decrypt it by them with out SHA key using which Key is Decrypted. (What i have learnt from google) because SHA-3 24 rounds of Encryption on a Data with a Key. Somewhere I had read that SHA-3 is more powerful than other Algorithms. So if any Intruders have Public Key on Hand than they can not decrypt its Data directly, they need another with which these Keys (Public/Private) are Encrypted. Data is Encrypted By the Keys, and Keys are also Encrypted by another Key which is not shared on any Platform, either it is Client or Server. if any Changes in these Keys are Made than it will be identified by the Server and for Data also. Because Some how it generates a Hash Code using which it can be identified. See this How SHA works,

HTTPS is the More Secure connection till this Day and every Site who are required for Secured Transaction are uses HTTPS Connection only between Clients and Server.

In Conclusion if Key is not Protected by Intruder than this Algorithm can identify changes in the Data. Thats why it is possible for Secured Connections.

Hope this will Help you to understand what exactly going on behind this Scene.