how can you verify that the site you get is not a fake?

Mon Jun 6 13:05:58 UTC 2005

but you still haven't addressed my problem/issue/question...

and that's how do i as a user (not an app) know that this is the right site
for the url i entered... my fear is that a malicious site, could simply fake
the information he's providing, to 'look' like the actual/real site...

and as of yet.. i can't craft a solution to this issue...

-bruce

-----Original Message-----
From: fedora-list-bounces at redhat.com
[mailto:fedora-list-bounces at redhat.com]On Behalf Of Felipe Alfaro Solana
Sent: Monday, June 06, 2005 4:02 AM
To: For users of Fedora Core releases
Subject: Re: how can you verify that the site you get is not a fake?

On 6/6/05, Steffen Kluge <kluge at fujitsu.com.au> wrote:
> On Sun, 2005-06-05 at 21:42 -0700, bruce wrote:
> > as i understand the ssl process... the browser hits the ssl site.. the
site
> > returns some information to me, the browser. my question/statement, if i
> > know what the information shoudl be from the server with the ssl cert,
then
> > why couldn't i somply craft a response on my server, and send the
> > information back to the browser...
>
> The information sent to the client is the server's public key bearing
> some CA's signature (a.k.a. a certificate). The CA's signature vouches
> for the fact that the key pair to be used really belongs to you (the
> server). In order to play ball you don't just need the certificate (or
> public key - that's, err, public), you also have to have the matching
> private key. Assuming paypal keep their private keys secure, you can
> trust their SSL site, if you trust their CA.

The X.509 certificate is a document signed by a trusted third-party
(in fact, not directly trusted by you, but by your browser or any
other SSL-enabled software), which asses the public key carried in
that certificate belongs to the subject to which the certificate is
expedited. The trusted third-party, called CA (Certificate Authority)
has to check that the subject (user for e-mail only certs, machine for
Web certs and so on) identity is valid and passes some validity
checks.

When connecting via HTTP/S, the remote Web server must prove that it
also has/knows the private key associated with the certificate's
public key. Else, anyone could stole the certificate and present it to
remote clients without proving he/it is the only one authorized owner.

SSL is far from perfect, as there are weak mechanisms on which it,
directly or indirectly, depends, like trust chains, name resolution,
hash and crypto algorithms and human intervention.

--
fedora-list mailing list
fedora-list at redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list