security - How can a server know the request is coming from client, not an eavesdropping hacker? -

-

i have simple question can not find simple answer to, missing or don t know how networking concept works. , want know don t know.

simply, question while eavesdropping possible, how can server know request coming client, not eavesdropping hacker.

scenario :

whatever security policy having, should send client. might asymmetric encrypted token or sth. client has no private key, whatever client able do, send etc, hacker can do, send too.

what might logic behind securing web application. there should secret client knows.

btw learning jwt , first time learning auth. simple question still unable find answer to.

how can server know request coming client, not eavesdropping hacker?

it doesn't.

it client verify server 1 expects talking to. it's called public key infrastructure.

tls/ssl can used connection on https - note not have diffie hellman, there other key exchange mechanisms such rsa.

imagine following scenario.

client --> https --> example.com

the client dns lookup example.com, , 203.0.113.10 returned. client connect 203.0.113.10 on https, , initial part of connection called handshaking process. here client checks domain thinking of connecting to, example.com, has certificate signed trusted certificate authority subject set "example.com". prevent following happening:

client --> https --> attacker (fake example.com)

for example, if attacker had taken on dns server , changed example.com point him (198.51.100.200).

this attack prevented because attacker cannot prove ownership of example.com certificate authority , therefore won't able certificate signed in order prove clients server trusted.

https encrypts connection, , exchanges keys in secure manner. ensures established connection cannot read.

so once connection established, , user logs in, server send session token client, can in form of jwt. if cookie , secure flag set, can transmitted on https connection. how server knows hasn't been intercepted because client has verified server , has encrypted data in transit using unique keys agreed both parties.

client --> https --> attacker (fake example.com) --> https --> example.com

is not possible (active man-in-the-middle), shows situation in original question intercepts communications , passes jwt real server, observing private data in transit. this, if plain http used (no ssl/tls):

client --> http --> attacker (fake example.com) --> http --> example.com

Comments

Post a Comment

Popular posts from this blog

wordpress - (T_ENDFOREACH) php error -

-
creating wordpress website , i'm getting following php error: parse error: syntax error, unexpected 'endforeach' (t_endforeach) in /home/soralmedia/public_html/wp-content/themes/soral media/woocommerce/myaccount/my-orders.php on line 98 here's code file: <?php /** * orders * * shows recent orders on account page. * * template can overridden copying yourtheme/woocommerce/myaccount/my-orders.php. * * however, on occasion woocommerce need update template files , (the theme developer). * need copy new files theme maintain compatibility. try this. * little possible, happen. when occurs version of template file will. * bumped , readme list important changes. * * @see http://docs.woothemes.com/document/template-structure/ * @author woothemes * @package woocommerce/templates * @version 2.5.0 */ if ( ! defined( 'abspath' ) ) { exit; } $my_orders_columns = apply_filters( 'woocommerce_my_account_my_orders_columns', array( ...
Read more

Export Excel workseet into txt file using vba - (text and numbers with formulas) -

-
i new vba have developed code use in excel move text/numbers txt file. issue have 3 functions need go same txt file. when run first function has set fs = createobject("scripting.filesystemobject") set = fs.createtextfile(module1.nys45uploadfilename, true) a.writeline (str) a.close. the other 2 functions had save. set fs = createobject("scripting.filesystemobject") set = fs.savetextfile(module1.nys45uploadfilename, true) a.writeline (str) a.close. the first function go txt file, other 2 error object doesn't support property or method. when changed 3 create last function goes txt file. can not figure out word use in order make other 2 functions follow txt file in order keyed. the entire code follows private sub addrecord_click() on error goto errhandler module1.nys45uploadfilename = application.getsaveasfilename(filefilter:="textfiles (*.txt), *.txt") if module1.nys45uploadfilename = "false" exit sub ...
Read more

Using django-mptt to get only the categories that have items -

-
sample structure: all uppercase: category mixed case: item root ├── books │   ├── fiction │   │   └── classics │   └── non-fiction ├── clothing └── electronics ├── laptops ├── phones │   ├── apple │   │   ├── iphone 6 │   │   ├── iphone 6 plus │   │   ├── iphone 6s │   │   └── iphone 6s plus │   ├── motorola │   │   ├── moto g4 │   │   ├── moto g4 play │   │   ├── moto g4 plus │   │   └── moto x │   └── samsung └── tablets └── apple i'm trying have index page show "electronics" category. "clothing" category shouldn't show since it's empty , "books" category shouldn't show either since, although has child categories, child categories don't have items. similarly, "electronics" page should show "phones" category. "laptops" category shouldn't show since it's empty , "tablets" category shouldn't show either since...
Read more