I wanted to know that if I make an application and need to use ssl to encrypt the TCP connection then is it necessary to save the keys in .pem file, like what if malicious software just steals that .pem file from any clients computer, will it be able to decrypt all the TCP packets?
Asked
Active
Viewed 129 times
0
-
WRT 'what if a malicious software just steels that .pem file from any clients computer' - Generally, most web servers running HTTPS do not require the client to have a certificate, so no .pem file is needed on the client. See https://security.stackexchange.com/questions/110621/ssl-newbie-does-https-client-also-need-a-certificate for more info. – mti2935 Jul 14 '23 at 18:29
1 Answers
1
It depends.
On the server side, the pem file sometimes may store the private key, but usually the private key may be stored on a security module, security enclave, or other storage method. Not every software will store the private key on the pem file.
If your software uses Forward Secrecy, the data your software sends (or have already sent) is protected even if the attacker have the private key for your server.
If your software don't use it, an attacker will be able to decrypt sent data, and future sent data.
On the client side, the pem file does not contain the private key for the server. It will have only the server certificate and any intermediate certificates used to sign the server certificate. That is know as "public key" and it's public. So if an attacker get the pem file on the client, it will not be able to decrypt anything.
ThoriumBR
- 53,925
- 13
- 135
- 152