https confusion - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: https confusion


Quoted text here. Click to load it

Just as a practical example. If you connect your browser to any bank site
that provides internet banking. They usually have a log in button. When you
click that you notice that the URL links to something like:


You will notice that your browser should display an icon usually a padlock
next to say at the status line at the bottom of the window. In
firefox, if you hover the mouse over the padlock it will pop up info saying
"Signed by <CA provider>". That says that the certficate received from the
server is a valid certificate issued by whoever the CA provider are (often
Verisign). That indicates that the server firefox is connected to is really
the correct server that CA provider issued with a certificate (note that
mybank have to pay Verign or other CA provider for the privilege, the
certificate often has an expiry date, which means that the bank have to
periodically cough up money to the CA provider get a new certificate issued).
If you double click on the padlock it will give you the full details.
Hopefully this indicates that your browser now has an encrypted SSL
connection to the bank's server and you can be reasonably sure that it is
your bank that you are connected to and not a phishing site. Make sure that
the name next to the padlock is what you expect e.g A phisher
could trick you to connect to a site with a valid certficate for say - you might notice that the name is not what it should be. So
far you are fairly certain that it is indeed the right bank's server that you
are talking to but they do not at this stage know who you are, as they allow
anyone to connect to this point. They only know who you are because you now
type in some sort of usercode and password that only you should know. As
other posters pointed out, it is possible to set things up so that the client
must also provide a CA signed certficate to the server.

Apache supports all this stuff and note that you don't need to use a CA to
provide certificates if you have control of both the client and server end
you can generate your own certificates assuming you trust yourself ;^), which
also has the advantage of being free. Check out the prices for Verisign
(ouch): /

If the general public are going to access then you really do need to use one
of the CA's that are built into the common browsers. If you don't, the
browser will pop up a dialog to the user saying saying something like "well I
received this certificate from the server but I don't know who the issuer is
- it's up to you if you believe it or not".


Site Timeline