I've been thinking about encryption this morning (and I have no clue why) and I started thinking about if it's at all possible for two strangers to establish a secure connection. I'm having my doubts, but I don't know a whole lot about encryption.

Today, we use SSL to try and establish a secure connection, but it relies on mutual friends of the two strangers (or in other words, certificates and certificate authorities). If the two strangers have no trusted mutual friend, then they can't validate certificates with their trusted mutual friend, and thus can't be entirely sure there isn't a man in the middle.

Is it even theoretically possible for two complete strangers to securely communicate without a mutual friend?

isn't this what public/private key's are for?

they exchange their public keys, encrypt their data to be sent with that public key, then decrypt with their own private keys.

 

isn't this what public/private key's are for?
 
they exchange their public keys, encrypt their data to be sent with that public key, then decrypt with their own private keys.

Vulnerable to man-in-the-middle.

Assume you want to contact this hot girl from the chat room and ask for her key. I intercept that key and send you mine instead. You send her your key, which I replace by my key as well. What now?

This works, reliably, if you have someone signing your keys. Not otherwise.

that is very true, didn't think about the man in the middle distributing his key instead.

As an extension of the man-in-the-middle issue, how do you establish trust in the first place (i.e. how do you know who the other end is)?

Securely communicating with a random stranger is not useful. Since you don't know who they are, you have no idea what they are doing with your communication.

As a more concrete example: you find a website selling high-end laptops for $100 each. You are naturally cautious, but their order form has an SSL certificate. If the order form is secure, it must be safe to order, right?

As an extension of the man-in-the-middle issue, how do you establish trust in the first place (i.e. how do you know who the other end is)?

Yeah, that's basically what I was thinking about this morning. If you want to talk to a complete stranger, you can't possibly know if you're talking to the right stranger without relying on someone else telling you "Yeah, that's the right guy."

Securely communicating with a random stranger is not useful. Since you don't know who they are, you have no idea what they are doing with your communication.

Well, yes, if they're a complete stranger you've got no clue what they're doing with the information you're sending them. But I was more interested in whether or not the sending and receiving of messages can be secure or not.

As a more concrete example: you find a website selling high-end laptops for $100 each. You are naturally cautious, but their order form has an SSL certificate. If the order form is secure, it must be safe to order, right?

Seems legit. Ha, nice example.

It is entirely possible to communicate securely without a friend, you should read more about cryptography.

Ooo, interesting. If there's a book that is a "light read" and explains things in simple English then I'd definitely be interested, if you know of any. On the other hand, if the only books covering that stuff are full of technical and algorithmic detail I'd probably rather just have someone explain it to me like I'm 4 :)

Man in the middle attacks can be detected with modern day cryptography, and it is possible to authentic that who you are talking to is indeed who you intend to talk to. Is this 100% full proof? No.

Can you elaborate on what kind of attacks we're still vulnerable to?

As for attacks we are vulnerable too, I imagine side-channel and implementation attacks being the primary target now of days.

And never discount good old-fashioned social engineering.