how can you verify that the site you get is not a fake?
Steffen Kluge
kluge at fujitsu.com.au
Mon Jun 6 05:03:37 UTC 2005
On Sun, 2005-06-05 at 21:42 -0700, bruce wrote:
> as i understand the ssl process... the browser hits the ssl site.. the site
> returns some information to me, the browser. my question/statement, if i
> know what the information shoudl be from the server with the ssl cert, then
> why couldn't i somply craft a response on my server, and send the
> information back to the browser...
The information sent to the client is the server's public key bearing
some CA's signature (a.k.a. a certificate). The CA's signature vouches
for the fact that the key pair to be used really belongs to you (the
server). In order to play ball you don't just need the certificate (or
public key - that's, err, public), you also have to have the matching
private key. Assuming paypal keep their private keys secure, you can
trust their SSL site, if you trust their CA.
Cheers
Steffen.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20050606/83ef60dc/attachment-0002.bin
More information about the users
mailing list