Can https be decrypted easily?
(Or even by spending some time)
Plus what other security methods banks apply to prevent theft of sensible data?
Do they encrypt data using thair own private key thet is changed automatically?

Not if you use a good cert.

@Voxera which cert is a good cert?

@R1100
Normally recommended is 4096bit or higher. This number may increase over time.

@Voxera @R1100

ECC certificates.

@jaytar is the key constant ?

@R1100 have a look on the basics of SSL. Yes, the key is constant while the cert is valid (often about 2 years). No, this is not a problem because it takes even supercomputers a lot of orders of magnitude more time to factorize the public key.

@jaytar what about quantom computers?

@R1100 as far as publicly known, even banks and government organisations use the same type of cryptography that SSL uses. A functional quantum computer with a few kilo qbits will evaporate almost every encryption in use today. But there are some quantum safe encryption algorithms which can be used in that case. Unfortunately, you need a quantum computer to use them.

@R1100 if someone has a quantum computer in there garage, you have more to worry about then decrypting a SSL cert.

@R1100
There are, however, some rules on certs that you should follow:
- never ever store the private key anywhere accessible to someone who should not have acces. An imposter could take the identity of your site and you don't want that. A copy on a USB stick in a locker is fine, a copy in your dropbox is a nogo
- if you suspect someone got hold of your private key, immediately revoke the cert (a good CA can do this) and get a new one
- create the private key directly on the server it will be used for, reduces the risk of someone intercepting the communication
- use wildcards very cautiously, i prefer getting a new one for a new subdomain

@jaytar thanks 😊

@jaytar For quantum safe algorithms a quantum computer is not required.
Google experimented with those a while ago but I'm not sure if those algorithms are still included in Chrome.

@sbiewald Okay, TIL. Granted, I'm not exactly an expert on quantum cryptography ^^

the security of https largely depends on your server config:
1) don't allow SSL ever.
2) ideally, only allow TLS 1.2, not 1.1 or 1.0 unless you have a considerable user base with Android below version 5.
3) keep your server updated to make sure you have no vulnerabilities like heartbleed.
4) don't allow weak cypher algorithms. Good cert plus weak configured algorithms is bad.
5) forward http to https or use the upgrade-insecure-requests HTTP header.
6) use the HSTS header.
7) check the whole thing with https://www.ssllabs.com/ssltest/ and follow the recommendations.

A little note where the cypher algorithms come into play. First, the client tells the server which symmetric algorithms it supports. The server selects one of these, and they exchange the symmetric key. This symmetric key is encrypted via asymmetric encryption with the public/private key pair of the server. The rest of the communication then runs with the selected symmetric algorithm using the symmetric key. That's pretty similar to how PGP works.

The reason for this setup is that asymmetric encryption would be too slow to use on everything. So, if you have a good cert with strong keys, but then allow weak symmetric cypher algorithms to be used for the content encryption, the whole thing will fall flat.

@Fast-Nop
Also DANE

@Linux not really useful due to lack of support.

@Fast-Nop
It is a shame it isnt.

This is what you get with letsencrypt. It's free and good enough unless you're a bank.

@olback acually, this is what you can get with Let's Encrypt certificate if the server is configured properly.

@Fast-Nop cool if can get one 😁

@Fast-Nop Do you have a guide or something, I'd like to get to that A+ sweetness as well...

@olback to be honest, my algorithm is checking out whether things are right, and if they aren't, I mostly open a support ticket with my hosting provider and tell them to fix that. :-)

But in your case, the DH key exchange needs some reconfig, that's why the grade is capped to B.

@Fast-Nop Yeah, I decided to go all in on this. Still a letsencrypt cert.

@olback holy shit, that's awesome! :-)

@olback that’s nice, you’ve done well to get it that high.

Let’s encrypt on a raspberry pi looks like this.

U R all super awesome!!

@hacker grab a few browny points and disable tls1 and 1.1 support.

@C0D4 hey, thanks. I'll research more into that because I have no idea how to disable support for those yet...