Results 1 to 9 of 9

Thread: Website certificates

  1. #1

    Website certificates

    we want to purchase some verisign certificates for our site but I struggle with the concept a little bit, I;m trying to think Verisign certificates VS the certificates generated locally on the sevrer.

    Whay I don't understand is the following:
    Let's say my site is https://me.com and it points to my server
    Now, my ISP DNS is hacked and as a result https://me.com is resolved to some hacker site that mimics my webpage .
    How having public Verisign certificate will help me in this case....I mean my https traffic will be redirected to the malicious site anyway, right?

    I understand that certificate is used for 2 purposes:
    1. To establish SSL encryption tunnel
    2. To validate the authenticity of the site - and this is exactly what I don't get - if ISP DNS is hacked then how can my computer with Verisign cert will figure out that the site it is being redirected to is not valid? Or will it go to that site anyway....

    Thanks.

  2. #2
    Mentor
    Join Date
    Jun 2001
    Posts
    1,672

    Re:Website certificates

    A hacker won't have your verisign certificate. So even if he redirects the https request to his server, he won't have the certificate on his server. Only if he got into your server, stole the certificate and installed on his server.

  3. #3

    Re:Website certificates

    Will the browser know if it has the versign cert that it SHOULD NOT go to the spoofed site or will it go anyway?
    IDo browsers have te mechanism not to go to the spoffed site if site certificate is not valid?

    If the spoofed site doesn't have my cert then does this mena that ssl session won;t be established to the spoofed site? (and I'll see 'page cannot eb dsplayhed error?)

    Thanks.

  4. #4
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Website certificates

    Okay, you have a trusted certificate.

    User goes to your page, they get the little lock in the browser/stuff is sent encrypted.

    Now, someone else h4x0rs your dns, points the domain at their server. They can either use no ssl, or they can use a self signed ssl.

    no ssl: the lock won't appear and stuff is sent unencrypted.

    self signed ssl: pop up warning that the certificate is not trusted, prompt whether to accept it anyway.

  5. #5

    Re:Website certificates

    Somebody told me that IE and Netscape has a biult-in mechanism for preventing users to go to spoofed sited if valid certificates is used (meaning things like Entrust and Verisign). In their words it means that whendns is poisoned and traffic is redirected to other site then browser itself won't allow it to go there....is that really so?

  6. #6
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Website certificates

    [quote author=elovkoff link=board=5;threadid=9559;start=0#msg87102 date=1090730918]
    Somebody told me that IE and Netscape has a biult-in mechanism for preventing users to go to spoofed sited if valid certificates is used (meaning things like Entrust and Verisign). In their words it means that whendns is poisoned and traffic is redirected to other site then browser itself won't allow it to go there....is that really so?

    [/quote]

    No. Your friends don't know what they're talking about.

    AGAIN,

    when users go to your page with a certificate, they'll get the little lock, data transfer is encrypted, and no pop-up warnings.

    When someone else points your domain at their server, either

    They don't use ssl. No pop-up warnings, however the little lock icon won't be present and communication will be unencrypted.

    They use ssl that isn't trusted, and a pop-up warning is created, with a prompt to continue.

  7. #7

    Re:Website certificates

    Got it. Then why the hell people think that having Verisigh cert is more secure than having a self-generated...the only advantage I see of having the verisign cert is that user won't get prompted when it connects to the site....is that really it?
    Thanks.

  8. #8

    Re:Website certificates

    Verisign is extremely expensive, it really depends on the majority of clients. If it's all internal, self signed does the trick.

  9. #9
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Website certificates

    Yup, all you get with a trusted certificate is the user doesn't get a warning prompt. The encryption is the same whether you self-sign or pay for one.

    There are companies much cheaper than verisign though.. not that it's ever truly "cheap" in my eyes. I wouldn't bother unless you're a company selling on the internet where warning prompts will discourage customers.

Similar Threads

  1. New WebSite
    By gozila in forum General Chat
    Replies: 1
    Last Post: 05-05-2009, 10:24 AM
  2. SSl certificates!
    By honey bee in forum Linux - Hardware, Networking & Security
    Replies: 7
    Last Post: 11-02-2006, 11:58 AM
  3. Digital Certificates, free
    By Fatal Error in forum Linux - Software, Applications & Programming
    Replies: 9
    Last Post: 07-21-2004, 03:38 AM
  4. SCO website
    By elovkoff in forum Linux - General Topics
    Replies: 5
    Last Post: 01-02-2004, 06:26 AM
  5. Openssl upgrading and certificates
    By Blaqb0x in forum Linux - Software, Applications & Programming
    Replies: 1
    Last Post: 04-08-2003, 12:33 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •