Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Alexander Ausserstorfer
April 4, 2013, 3:28 pm
rate this thread
From page 2:
| 2.4. Server Identity Check
| During the TLS negotiation, the client MUST check its understanding
| of the server hostname against the server's identity as presented in
| the server Certificate message, in order to prevent man-in-the-middle
| attacks. Matching is performed according to these rules:
| - The client MUST use the server hostname it used to open the
| connection as the value to compare against the server name as
| expressed in the server certificate. The client MUST NOT use any
| form of the server hostname derived from an insecure remote source
| (e.g., insecure DNS lookup). CNAME canonicalization is not done.
Why does this work? Cannot someone send a wrong Certificate but with the
Re: A silly question to Server Identy Check (RFC 2595)
Not if the Certificate Authority is doing their job. They shouldn't
approve and sign a certificate that has a hostname that doesn't belong
to the holder of the certificate. I can't call Verisign and ask them to
sign a certificate that has the hostname login.google.com, only an
authorized Google representative should be able to do this.
Barry Margolin, firstname.lastname@example.org
*** PLEASE post questions in newsgroups, not directly to me ***
- » looking for your advice to get a penetration test tool.
- — Next thread in » General Computer Security
- » Cannot filter out a particular domain name on my Linksys router
- — Previous thread in » General Computer Security