On Sun, 2005-06-05 at 21:42 -0700, bruce wrote: > as i understand the ssl process... the browser hits the ssl site.. the site > returns some information to me, the browser. my question/statement, if i > know what the information shoudl be from the server with the ssl cert, then > why couldn't i somply craft a response on my server, and send the > information back to the browser... The information sent to the client is the server's public key bearing some CA's signature (a.k.a. a certificate). The CA's signature vouches for the fact that the key pair to be used really belongs to you (the server). In order to play ball you don't just need the certificate (or public key - that's, err, public), you also have to have the matching private key. Assuming paypal keep their private keys secure, you can trust their SSL site, if you trust their CA. Cheers Steffen.
Attachment:
signature.asc
Description: This is a digitally signed message part