Are messages sent to an https url safe from man in the middle attacks?

0
votes

I have been reading the Stripe documentation and it requires that the production website has an SSL certificate.

My understanding is that because the card information is being sent to Stripe over https and only a charge token is returned then no personal/confidential information is available through a man in the middle attack. The credit card information sent to stripe is encrypted (as sent to https url) and only a charge token is returned that an attacker can't do anything useful with as it can only be used to make a single charge to the company it was created for.

Can anyone explain how an SSL certificate would help protect the user in this case? Of course it is better to have the SSL certificate but I would like to know why it is required.

Thanks.

1
sslhttpsstripe-payments

1 Answers

1
votes

The server certificate is essential to protect against MITM attacks in HTTPS. It is used to prove the identity of the server to the client.

Without it, you would have encryption, but no authentication of the remote party, so essentially you'd be exchanging data with someone, but you wouldn't be sure who that is: you could essentially be exchanging a secret with a MITM attacker who would have intercepted the connection.

Of course then, the client needs to verify that it trusts the certificate (that's what CAs are for) and that it matches the name of the server it was looking for. Browsers normally do that (and that's why users shouldn't ignore warnings).

(You may be interested in this question on Security.SE: "What is an SSL certificate intended to prove, and how does it do it?")