alt Hacker NewsLet's say I have a public website with https. I allow anyone to post a message to an api endpoint. Could a server like this read the message? How?
Replies
tw04 • last Thursday at 1:24 PM
They have a relationship with your cert provider and get a copy of your cert or the root so they can decrypt the traffic.
➕ show 3 replies
kachapopopow • last Thursday at 1:21 PM
they would just compromise wherever your tls is terminated (if not E2E which most of the time it is not), but also just taking a memory dump of your vm / hardware to grab the tls keys and being able to decrypt most future traffic and past is also an option.
➕ show 1 reply
z3t4 • last Friday at 1:50 PM
yes, unless you pinned the public key
They may not be able to decrypt it now, but it is well known that most of encrypted Internet traffic is permanently stored in NSA data centers [1] with hopes of decrypting it soon once quantum computing can do it.
[1] https://en.wikipedia.org/wiki/Utah_Data_Center