I was reading about "hacking" and it said now days its very had to do especially with something like "https" where it is protected?

Can you please explain to a layman why https is hard to bypass/hack. The person who wrote the article said that it is near impossible.


This is out of curiosity

4 Answers

  • 1 month ago
    Favorite Answer

    HTTPS is hard to crack as each time a new browser session is started, a new encrypted connection is started to the site; there is no single encryption that could be broken to permanently reveal all future content.

    And the encryption "key" is at least 1024 bits long; that's roughly 1798 with another 305 zeros after it, in decimal.

    Even if it were possible to make billions of attempts to crack it each second, it would take more than the lifetime the universe to try all possible values...

    (10^281 times the present age).

    It's pretty secure....

    And new "master key" certificates are produced every year or two, just to be sure nothing get past it.

    The only moderately feasible way is a "man in the middle" attack, where the network communication passes through an intermediate machine that spoofs the connection both ways, so each computer has a separate HTTPS link with separate encryption, but only as far as the intercepting system & that decrypts and re-encrypts traffic both ways.

    "Hacking" as depicted in movies & TV fiction has little bearing on the real world.

    To an original hacker (as Snezzy describes), breaking in to things is cracking - but that does not sound as good in movies.

    Virtually all compromises blamed on hackers nowadays are actually social engineering stunts of various types, that trick people in to voluntarily giving away their security info.

    That's such as "phishing" emails & fake web sites etc., plus even major companies have been compromised by such as someone phoning in and pretending to be an employee who's forgotten their password.....

    [Electronics designer & programmer for ~50 years and a 1970s (legal) Hacker, building and programming my own computers].

  • Lv 7
    1 month ago

    you should look up what a bit is. it's a single piece of information. a 1 or 0. it takes 8 bits to make a byte: a single character on a keyboard that can be any of 999,999 characters.

    HTTPS uses primarily TLS encryption, which uses up to 256-bit encryption. 128-bit is unhackable. 256-bit is ridiculous.

    what is meant by 256źbit is that is the length of the password hash used for encryption.it is 2^256 (two to ghe 256th power), which is basically 2 times itself, 256 times. doesn't sound too bad, until you do the math:










    can you imagine trying to guess a one thousand digit password? and that's just the first 9 bits! you still have to double that number 241 more times!

    so yeah, "unhackable" is an understatement.

    but honestly, there are plenty of better and easier ways to hack. https is old news...

  • oyubir
    Lv 6
    1 month ago

    Well, I suspect it was me. I used that very expression (near impossible) about HTTPS in an answer about hacking a few days ago. And that was an answer to a question you asked.

    What I meant is quite simple: such securities are theoretically not just hard to hack. They are impossible to hack. Theoretically. But there could be a breach (you can't assume there is one. Hackers are not magicians who find breaches where there are none. That is why they usually don't target a single tech. That is why "hacking this" can be impossible, while "hacking something, whatever" is always possible: you just have to find a weak target)

    So, lot of protocols that are supposed to be secure, happen to be not that secure. Because of bugs. Because of naiveté in their coding.

    But it is very very unlikely that it can be the case of https. Because this thing is used everywhere. It has been (unsuccessfully) attacked more than anything. It has been checked constantly by literally thousand of experts. 

    So it is quite simple indeed: to find a breach in https, you have to find something that probably isn't even there, you have to find something that thousand of experts checked wasn't there, you have to find something that thousand, maybe millions, of hackers failed to find before you.

    Where as to find a breach in the account management of CoolAndroidGame [fake company name. Sorry if it is a real company I am not aware of], you just find a breach that one tech guy at CoolAndroidGame says he has made impossible (probably being out of his field, since I doubt they hires cryptography expert), and that nobody really tried to hack before you did.

    It would be simply less surprising that you find a breach somewhere, when nobody had already tried before you did, than finding a breach somewhere when zillions of people failed to find one before you did.

    That is why, nowadays, CoolAndroidGame tends to not rely on home made security layer. They just rely on SSL, HTTPS, or other very improved and tried techs.

    So my comment was just about that simple fact, that SSL, HTTPS, ... have far more man.hours of work to make them safe, and far more man.hours of unsuccessful attack attempts.

    It was not about the algorithm itself. Algorithms that make decipher impossible are older than computers anyway. Not saying that there is no hard science in this (especially when you have to communicate with short keys, and with people with whom you haven't exchanged any keys prior to the communication). But that is generally not the weak part. It is plain old bugs that are the breaches, usually.

    Of course, for https, you can try to convince user to bypass the security.

    With a man in the middle attack (which is quite easy. My students do it in on single 3 hours session) you can easily read communication. But the user has to click "ignore" on the warning that the authentication key is not valid (which some users tend to do, because there are some legit websites that uses invalid keys, or self signed keys. So, people tend to click "ignore" without worrying and even reading).

    You could also try to convince people to install your own authority in their browser. Which then allows you to sign fake keys that their browser will accept without a warning.

    You could probably do harm with extensions.

    You could bribe an authority (one of the companies that validate https certificates)

    You could distribute you own altered version of firefox with your own authority embedded.

    So, there are some way "around" https. But they rely on the ignorance or recklessness of the user. On social engineering generally speaking.

    Maybe https itself has a breach. But if it has one, it is a hard to find one, that zillions of hackers failed to find so far.

    So, it is easier to go for social engineering.

  • Snezzy
    Lv 7
    1 month ago

    First of all, allow me to go out on a limb regarding terminology. The original meaning of hacking is, "coming up with a neat, but probably unorthodox, solution for some sort of technical or mathematical problem, particularly in the fields of electronics and computers." Look up HAKMEM to find a lot of information about MIT hacks. The major resource is AI Memo 239.

    You can see if you follow from that perspective why genuine hackers, in the original sense, dislike the new usage of the term in its criminal connotation.

    Now let's glance at https. The original http was not designed with much security in mind. Why would anyone want to mess around with someone else's web page. Well, why indeed! You could get in and maybe steal money or something.

    What's the difference? Here's a quote from somewhere in the web: "HTTPS is HTTP with encryption. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses. As a result, HTTPS is far more secure than HTTP."

Still have questions? Get your answers by asking now.