Re: Authenticating a web server

[Steve Suehring <csec-nospam () braingia org>]

The verisign "seal" that you see on the web page has really nothing to do 
with the web site security.  That's just marketing spaf to make one "feel" 
safer.  The certificate presented to your browser is the key.

For more information on digital certificates, see:
See http://www.thawte.com/guides/

Steve

On Sun, Mar 28, 2004 at 02:04:56PM -0000, Amit Sharma wrote:
> Hi list,
>
> Was wondering what are the various ways for authenticating a web server. By this, I mean, how do I know if I am 
> talking to the rite server and not any phony website?
>
> Option # 1
> To my understanding, we can verifying the identity of the server if it has a a certificate seal on its website. 
> Something similar to what is issued by verisign. But then, to me, it doesn't look like a full proof solution since 
> the security logo that verisign provides and provides links to, can also be made phony. Do verisign people patrol for 
> phony logos of their security seal?
>
>
> Option # 2
> How about storing the header ( HTTP/HTTPS ) information of the web server such as the web server version and other 
> specific details which do not change quite often for authenticating purpose. This can be used to cross check with the 
> header info. of a phony website claiming to be the original one. Typically, attackers building phony websites just 
> duplicate the look and feel of the original website without actually bothering about modifying the header information 
> as well. 
>
> am sure there must be better ways for authenticating a web server. Would like to have some expert comments from Web 
> Application Security gurus.
>
> Gracias,
> Amit
>
> ---
> Whoops! There are still thousands of nuclear weapons in the world