[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: how can you verify that the site you get is not a fake?

From: Kenneth Porter <shiva sewingwitch com>
To: For users of Fedora Core releases <fedora-list redhat com>
Subject: RE: how can you verify that the site you get is not a fake?
Date: Mon, 06 Jun 2005 03:55:30 -0700

--On Sunday, June 05, 2005 10:06 PM -0700 Joel Jaeggli <joelja darkwing uoregon edu> wrote:

steal the cert installed on the webserver and use it in conjunction with
some ip based trickery to masquerede as the site in question

I think the OP was also concerned with replay attacks, and it's the second part of this response that's used to prevent that.

I believe there's also a challenge-response component: The client sends something that the remote server encrypts with its private key. The client uses the public key (the cert returned) to decode it and verify that the server possesses the private key.

References:
- RE: how can you verify that the site you get is not a fake?
  - From: bruce
- RE: how can you verify that the site you get is not a fake?
  - From: Joel Jaeggli

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]