WebApp Sec mailing list archives
Re: Authenticating a web server
From: Steve Suehring <csec-nospam () braingia org>
Date: Sun, 28 Mar 2004 08:45:13 -0600
The verisign "seal" that you see on the web page has really nothing to do with the web site security. That's just marketing spaf to make one "feel" safer. The certificate presented to your browser is the key. For more information on digital certificates, see: See http://www.thawte.com/guides/ Steve On Sun, Mar 28, 2004 at 02:04:56PM -0000, Amit Sharma wrote:
Hi list, Was wondering what are the various ways for authenticating a web server. By this, I mean, how do I know if I am talking to the rite server and not any phony website? Option # 1 To my understanding, we can verifying the identity of the server if it has a a certificate seal on its website. Something similar to what is issued by verisign. But then, to me, it doesn't look like a full proof solution since the security logo that verisign provides and provides links to, can also be made phony. Do verisign people patrol for phony logos of their security seal? Option # 2 How about storing the header ( HTTP/HTTPS ) information of the web server such as the web server version and other specific details which do not change quite often for authenticating purpose. This can be used to cross check with the header info. of a phony website claiming to be the original one. Typically, attackers building phony websites just duplicate the look and feel of the original website without actually bothering about modifying the header information as well. am sure there must be better ways for authenticating a web server. Would like to have some expert comments from Web Application Security gurus. Gracias, Amit --- Whoops! There are still thousands of nuclear weapons in the world
Current thread:
- Authenticating a web server Amit Sharma (Mar 28)
- Re: Authenticating a web server Steve Suehring (Mar 28)
- <Possible follow-ups>
- RE: Authenticating a web server Imperva Application Defense Center (Mar 28)