Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

In situations where the consumer doesn\'t trust/control the workstation and the

ID: 655783 • Letter: I

Question

In situations where the consumer doesn't trust/control the workstation and the network, can consumer safely do potentially sensitive activities (like making a payment or transferring confidential documents) over the internet when HTTPS is used?

For instance: when I use my employer's computer and am on the company network, or I am in an airport and use a public kiosk there, is there a way to keep them from spying on me?

Naturally, IT administrators in these circumstances are in full control of CA management, and could potentially use a proxy and load the proxy's certificate into the trusted root list, so my browser would show everything being fine.

My current understanding is that as long as I can verify that the cert isn't spoofed and is signed by a well known CA, I can be assured that there's no one eavesdropping on the traffic.

Now if my previous statement is correct what is the best way to verify that cert? I understand that I can just open it up and inspect the CA's name, but are there any extra steps I can take? For instance, could I somehow export the cert I'm receiving from the HTTPS site and submit it to some service for verification?

Explanation / Answer

On an untrusted computer, you cannot know that no one is eavesdropping. This is just a fact of security -- TLS can protect against a man-in-the-middle, but nothing whatsoever can protect you against someone with administrative access to your computer. Even if you have public key pinning for the site, which means that a rogue CA can't create a fake certificate for it, you have no way of knowing that there's not something installed on your computer that is recording the screen and logging keystrokes (such spying software isn't that uncommon). There are ways to mitigate an untrusted network. There are no ways, and can be no ways, to deal with an untrusted OS besides not using that OS.

TLS is designed to handle specific types of attackers -- specifically, active and passive attackers between you and the server, as well as people impersonating the server. It is not designed to protect against your situation; in general, implementations actually support the ability for an administrator to install their own root CA and MitM the traffic (Chrome will actually make an exception to public key pinning in this situation, because it requires admin access to the machine and there's no way of stopping an admin from doing what they want anyway).

Related Questions

In service industries, capacity is often viewed as the _____. a. minimum rate of
Question #379210
In service, a rotating steel shaft is subjected to an alternating stress of +/-
Question #1855302
In service, a rotating steel shaft is subjected to an alternating stress of +/-
Question #1862079
In sesame plants, the one-pod condition(P) is dominant to the3-pod condition (p)
Question #2771
In sesame plants. the one-pod condition (P) is dominant to the three-pod conditi
Question #79640
In set theory, the union of two sets is the list of all elements that appear in
Question #3635120
In set theory, the union of two sets is the list of all elements that appear in
Question #3635316
In set theory, the union of two sets is the list of all elements that appear in
Question #3635453
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
In situations where I need to write observer/subscriber code, how would I choose
Next
In situations with high symmetry, as in the following example s, it greatly simp

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.