Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

why is TLS/SSL necessary? [closed]

Tags:

php

ssl

openssl

I know everyone uses TLS/SSL as transport layer security on the web.

What would prevent me from generating let's say keypair manually, encrypting data client-side (using JS for example) with that public key and submitting that data to my server with http's GET/POST request?

I mean - I can just use JS library to encrypt some form data with that public key - right?

Only person who has private key can decrypt it - right? And private key would be kept on the server of course. No key warning will pop up - since transmission is a regular http request. So why I need TLS?

like image 451
Ryan Eckert Avatar asked Dec 15 '12 03:12

Ryan Eckert


1 Answers

How do you trust that the Javascript delivered to the browser is the Javascript that will encrypt with the correct key?

Think about it for a second, and realize that security best practices are very subtle and nuanced and simply slapping encryption on top is not a solution.

Also, if you're dealing with the "key popup", you've broken one leg of the TLS trust model (the trusted certificate authority) by using an unsigned server certificate.

like image 88
Yann Ramin Avatar answered Sep 26 '22 16:09

Yann Ramin