[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: how can you verify that the site you get is not a fake?



--On Sunday, June 05, 2005 10:06 PM -0700 Joel Jaeggli <joelja darkwing uoregon edu> wrote:

steal the cert installed on the webserver and use it in conjunction with
some ip based trickery to masquerede as the site in question

I think the OP was also concerned with replay attacks, and it's the second part of this response that's used to prevent that.


I believe there's also a challenge-response component: The client sends something that the remote server encrypts with its private key. The client uses the public key (the cert returned) to decode it and verify that the server possesses the private key.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]