Hi Peter,
You mentioned:
So, when the PKI client in my (for example) web browser connects to your IIS server, my web browser's PKI client will connect to the Certifying Authority URL that you specified when you created your SSL certificate
what do you mean the client will connect to the CA URL specified when you created the SSL cert? I thought the client will connect to the URL specified in the "Common Name" when I created the SSL cert. I don't think I specified a URL when I create my CA... I just gave it a name in the "Common Name" field (like: "My CA" or whatever).
From: Peter O Sigurdson <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: How to check server's SSL certificate on client? Date: Fri, 20 Aug 2004 13:04:56 -0400
Greetings,
What do I have to do to ensure that the server I connect do is the original one?
The certificate you created with OpenSSL, like any x.509 certificate, consists of 3 elements: - the URL of your server - a public key for your URL - the URL of the certifying authority which I have to trust to believe that your certificate is trustworthy, based on your public key
So, when the PKI client in my (for example) web browser connects to your IIS server, my web browser's PKI client will connect to the Certifying Authority URL that you specified when you created your SSL certificate (which is installed on your IIS server) and will I will be challenged to accept for installation into my web browser when I try to connect to your server.
Then, I know that this URL is being controlled by the person whose public key is in the certificate I installed in my browser, and I can view it to check that public key against the listing on Verisign.com (or whoever is your CA).
But how can I check if some hacker has redirected the request and created a certificate with exactly the same data I used on my page?
The hacker could setup a fraudulent Domain Name Server on someone's network segment, and write malicious mobile code to change the DNS cache on the client computer of user X whom they wish to trick. Then userX would go to url www.yourrealdomain.com, which the fraudulent DNS who direct to the hacker's own web server, and the user would see a copy of your web site, and userX might start entering in credit card details believing that he is buying your products. The hacker would now have userX's credit card number. There is nothing you can do to stop this, so just give up on worrying about it.
However, if your concern is that a hacker would register a closely similar URL such as www.yourrealdomain.us, they can't possible pass themself off as your, since the certificate with your public key is binded to url : www.yourrealdomain.com, not www.yourrealdomain.us
I hope this explanation has been helpful , let me know if I can clarify further.
"Clemens Chiba - Greentube I.E.S. AG" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/20/2004 12:34 PM Please respond to openssl-users
To: [EMAIL PROTECTED] cc: Subject: {Spam?} How to check server's SSL certificate on client?
Hi!
I've created a SSL certificate for a IIS server, and wrote a client with OpenSSL that can communicate with this HTTPS page via POST request.
Everything is working fine by now.
But how can I check if some hacker has redirected the request and created a certificate with exactly the same data I used on my page? What do I have to do to ensure that the server I connect do is the original one?
Thanks in advance.
Ciao and bye, (:Clemens:) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
