HTTPS is not only for server verification. it encrypts the connection between the server and client/browser
Yes MITM is possible with HTTPS, but man in the middle has no access to the ssl certificate for the targeted domain, so browser will show Your connection is not private warning and prevent user from accessing the site, it is possible to bypass this browser warning by installing some bogus CA certificates in the users browser/computer, that means the attacker should have access to user's computer, meaning user is anyway compromised.
That is why browser security and user's computer literacy are two key factor for computer security.
Also if the MITM is the risk, data is at risk even if you encrypt at the browser, because you don't have a secure way to transfer keys between the browser and the server. SSL is a solution for this very problem. you can implement PKI on top of SSL, then you have to solve how to exchange keys, then you are again back to square one.
In simple terms, if the user is aware of browser warning it is not that easy(i would say nearly impossible for a random hacker to do this) to hack/MITM on HTTPS connection. Even current super computers are not capable of cracking SSL certificates/keys, but future super computers will have that capability making current SSL standards and implementations obsolete.
Last edited:
