On 10/17/06, Serge Dubrouski <sergeyfd@xxxxxxxxx> wrote:
> The channel is encrypted, but you have no idea who encrypted it. It > could, for example, be a "man in the middle" that puts himself on the > wire between you and server, decrypts the original content, Tell me how would you do that without server's private key????? It doesn't matter who issued the certficate, encryption is always the same, based on a server's private key. So you have to steal it first.
The man-in-the-middle appears like any-old client to the server. If you need this in more detail: 1. client makes request that it intends for server. 2. man-in-the-middle pretends to be server, negotiates encryption with client, and accepts request. 3. man-in-the-middle pretends to be client, negotiations encryption with server, and makes the request to server. 4. server sends response to man-in-the-middle, who decrypts it, saves it, and re-encrypts it and resends to client. The server has no way to verify the identity of the client, and the client can only verify the identity of the server if it uses a proper certificate.
The real problem with self signed certificates is that they don't guarantee that company A to which certificate was issued to us really company A and not something else. CA has to check all data that is put into certificate before issuing it. But on other hand browser now always contact CAs to verify certificates. Is OCSP enabled in your browser by default?
The only really important thing in the certificate is the hostname, since that is the only thing that the typical user can easily verify (by looking at the URL-bar of their browser). Everything else is buried deep in browser menus and rarely gets used. So when I do online-banking, I verify that I have an encrypted connection (without any certificate warnings) and that the url-bar has the correct site. Provided I am confident that I know the domain name of my bank, that isn't too bad security-wise. But if the server certificate is not right, you're screwed. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|