how can you verify that the site you get is not a fake?

Felipe Alfaro Solana felipe.alfaro at gmail.com
Mon Jun 6 13:38:58 UTC 2005


On 6/6/05, Matthew Miller <mattdm at mattdm.org> wrote:
> On Mon, Jun 06, 2005 at 06:05:58AM -0700, bruce wrote:
> > but you still haven't addressed my problem/issue/question...
> > and that's how do i as a user (not an app) know that this is the right
> > site for the url i entered... my fear is that a malicious site, could
> > simply fake the information he's providing, to 'look' like the actual/real
> > site...
> > and as of yet.. i can't craft a solution to this issue...
> 
> You could trust us that it's very hard to fake the SSL information, and then
> you could inspect that. (Double click on the little lock icon.) You'll see
> something like:
> 
>   Web Site Identity Verified
> 
>   The web site www.bu.edu supports authentication for the page you are
>   viewing. The identity of this web site has been verified by Thawte
>   Consulting cc, a certificate authority you trust for this purpose.
> 
> 
> In the Firefox advanced preferences, you can manage which certificate
> authorities you trust.

Nah! That's not enough... many web browsers are vulnerable to
cross-site scripting code. I've seen some real proof-of-concept web
sites that, by using a main frame protected via HTTP/S and a valid SSL
certificate, where vulnerable to cross-site scripting-like attacks
that were able to insert fake pages into a subframe without the web
browser even alerting about it.

SSL is very good, but poor implementations of web browsers, protocols,
and the end-user itself make it far from the perfect solution.

So the answer is: you really can't be sure 100% the site you're seeing
is really the site you're expecting to see. To alleviate the problem,
always enter the URL manually on your web browser, check the SSL
certificate, the CA that signed the SSL certificate and the IP address
of the target machine.




More information about the users mailing list