Menu
When an HTTPS conversation is initiated, a random number is generated to create a key for the exchange (or something like that). What I don't understand is how this prevents replay attacks.
Why can't an attacker just repeat all the requests that the real client made?
This answer claims it isn't possible, while this answer claims the opposite. I can't see how an attack wouldn't be possible, unless there were nonces involved.
377
The answer is here, courtesy of @Emirikol: https://softwareengineering.stackexchange.com/a/194668/245162
HTTPS can be enough to secure the server from replay attacks (the same message being sent twice) if the server is configured to only allow the TLS protocol as per RFC 2246 section F.2.
This is done through the use of Message Authentication Codes (MAC).
Also see: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
