how can you verify that the site you get is not a fake?
Kenneth Porter
shiva at sewingwitch.com
Mon Jun 6 10:55:30 UTC 2005
--On Sunday, June 05, 2005 10:06 PM -0700 Joel Jaeggli
<joelja at darkwing.uoregon.edu> wrote:
> steal the cert installed on the webserver and use it in conjunction with
> some ip based trickery to masquerede as the site in question
I think the OP was also concerned with replay attacks, and it's the second
part of this response that's used to prevent that.
I believe there's also a challenge-response component: The client sends
something that the remote server encrypts with its private key. The client
uses the public key (the cert returned) to decode it and verify that the
server possesses the private key.
More information about the users
mailing list