Suppose I've got a response from a website using https. Is it possible to store the certificate and keys exchange to prove to a third-party that the response came from that domain?
Asked
Active
Viewed 84 times
1 Answers
1
No, at least for standard ciphersuites, TLS/https does not allow proving to a third party that an https payload was received from a certain domain.
Problem is, the initial TLS handshake leads to symmetric keys known by both parties, used to secure the rest of the exchange. Thus each party can forge messages and pretend the other side sent them.
fgrieu
- 149,326
- 13
- 324
- 622