On Mon, 6 Jun 2005, bruce wrote:
but you still haven't addressed my problem/issue/question...
and that's how do i as a user (not an app) know that this is the right site for the url i entered... my fear is that a malicious site, could simply fake the information he's providing, to 'look' like the actual/real site...
The point is the site cert is hard to fake... so look at that.
No mechanism outside of cryptographic ones has any hope of demonstrating uniqueness in the context internet connectivty.
joelja
and as of yet.. i can't craft a solution to this issue...
-bruce
-----Original Message----- From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Felipe Alfaro Solana Sent: Monday, June 06, 2005 4:02 AM To: For users of Fedora Core releases Subject: Re: how can you verify that the site you get is not a fake?
On 6/6/05, Steffen Kluge <kluge@xxxxxxxxxxxxxx> wrote:On Sun, 2005-06-05 at 21:42 -0700, bruce wrote:siteas i understand the ssl process... the browser hits the ssl site.. thethenreturns some information to me, the browser. my question/statement, if i know what the information shoudl be from the server with the ssl cert,why couldn't i somply craft a response on my server, and send the information back to the browser...
The information sent to the client is the server's public key bearing some CA's signature (a.k.a. a certificate). The CA's signature vouches for the fact that the key pair to be used really belongs to you (the server). In order to play ball you don't just need the certificate (or public key - that's, err, public), you also have to have the matching private key. Assuming paypal keep their private keys secure, you can trust their SSL site, if you trust their CA.
The X.509 certificate is a document signed by a trusted third-party (in fact, not directly trusted by you, but by your browser or any other SSL-enabled software), which asses the public key carried in that certificate belongs to the subject to which the certificate is expedited. The trusted third-party, called CA (Certificate Authority) has to check that the subject (user for e-mail only certs, machine for Web certs and so on) identity is valid and passes some validity checks.
When connecting via HTTP/S, the remote Web server must prove that it also has/knows the private key associated with the certificate's public key. Else, anyone could stole the certificate and present it to remote clients without proving he/it is the only one authorized owner.
SSL is far from perfect, as there are weak mechanisms on which it, directly or indirectly, depends, like trust chains, name resolution, hash and crypto algorithms and human intervention.
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@xxxxxxxxxxxxxxxxxxxx GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2