Can HTTPS be decrypted if connected to a malicious router?

If one connects to a router with malware is it possible for the attacker to decrypt the data sent using ssl or tls with out the victim or the server noticing? I stayed in an air bnb where the router could be accessed by any of the previous guests and now im a bit concerned about my private data being stolen.

2 Likes

Generally, no.

It is possible to set up an “SSL proxy server” that decrypts traffic, and this is often done within the context of a corporate or school network, but such a proxy requires client side configuration: the corporation or school needs to install custom SSL Certificate Authority keys that the computer will consider to be trusted, so that the SSL proxy can self-sign certificates for encrypted websites and the computer just accepts them without flashing any errors to the user. If your device is not managed in such a way (e.g., it’s a personal PC and you haven’t gone and manually installed custom CA certs), such an SSL proxy would be very obvious to you because your web browser would throw up errors about an untrustworthy connection: a site is using an SSL certificate that isn’t signed by anybody that your computer trusts.

If you’re worried about a random Airbnb router decrypting your traffic, you would notice, your browser would give you all the scary warning messages and probably wouldn’t even allow you to bypass them manually. Some SSL warnings can be clicked thru, like if a certificate is simply expired and the site owner forgot to renew it, or if the certificate is self-signed for a small random site, but when it’s a big site like Google or Facebook, any cert errors usually mean the browser will not let you bypass the error: big sites have their CA certs preloaded and browsers are extra cautious. But client side trusted CA certs (as in SSL proxies for work/school) bypass that.

3 Likes

(This doesn’t change the fact that you’re right) SSL proxies can work transparently if you have the target server’s private certs. Which could be useful if you were some giant company that wanted to do packet inspection on inbound traffic before it hits your web server. Hypothetically.

Ah! Thank you for the clarification! That makes more sense.

Content like yours is why the community, forum is awesome. Have a good one.

Sorry, I’m new to these things, but isn’t this what Burp Suite does when it intercepts the traffic?

Yes it is! And you install Burp Suite’s CA cert so your browser doesn’t flash all kinds of errors accessing HTTPS sites while running the proxy.

Https encryption will protect you from “man in the middle” attacks. It is save to use also over untrusted networks. A router in the middle cannot decrypt it.

SSL provides end to end encryption. If the client and router aren’t sharing a certificate between them, then no. HOWEVER, that all goes out the window the minute you accept a certificate error.

Thanks for the all amazing response. I didn’t know there would be so many passionate people in this comunity!