If the web server serves the SSL certificate to anyone visiting the site, can i spoof the web server by spoofing its certificate?
short answer, yes and no! not for long!
I can spoof the legitimate site by spoofing its certificate. I can trick the client to believe I am the legitimate site but I will not be able to further trick the client to communicate with me.
Though the client will trust the server and initiate an SSL connection, the spoof server cannot establish a secure HTTPS connection with the client. The server receives encrypted handshake payload from the client and cannot decrypt without the private key, secured by the legitimate site. ANd thereby, the spoof server cannot complete the SSL handshake and read the traffic from the client.
Background notes:
- SSL negotiation is based on Asymmetric cryptography. Client encrypts the pre-master/ master key -a symmetric encryption key - with the public key of the server (presented by the server in its certificate). Server decrypts the traffic with its private key. Once the client and the server agree on the symmetric key, the further traffic will be encrypted by this symmetric key.
- The certificate stands valid only if it is not modified or tampered. The signature of the certificate is signed by the private key and can be verified by the corresponding public key alone.
- Certificates are issued to web sites by a trusted CA (certificate authority) to legitimate sites. If the given certificate is not backed by a chain of trusted CA's. This certificate must not be trusted.
- Client or the User must verify the server's certificate to ensure it is communicating with the server it is intending to do. This means the client can send sensitive data to any spoofed site if it does not verify its certificate.
short answer, yes and no! not for long!
I can spoof the legitimate site by spoofing its certificate. I can trick the client to believe I am the legitimate site but I will not be able to further trick the client to communicate with me.
Though the client will trust the server and initiate an SSL connection, the spoof server cannot establish a secure HTTPS connection with the client. The server receives encrypted handshake payload from the client and cannot decrypt without the private key, secured by the legitimate site. ANd thereby, the spoof server cannot complete the SSL handshake and read the traffic from the client.
Background notes:
- SSL negotiation is based on Asymmetric cryptography. Client encrypts the pre-master/ master key -a symmetric encryption key - with the public key of the server (presented by the server in its certificate). Server decrypts the traffic with its private key. Once the client and the server agree on the symmetric key, the further traffic will be encrypted by this symmetric key.
- The certificate stands valid only if it is not modified or tampered. The signature of the certificate is signed by the private key and can be verified by the corresponding public key alone.
- Certificates are issued to web sites by a trusted CA (certificate authority) to legitimate sites. If the given certificate is not backed by a chain of trusted CA's. This certificate must not be trusted.
- Client or the User must verify the server's certificate to ensure it is communicating with the server it is intending to do. This means the client can send sensitive data to any spoofed site if it does not verify its certificate.
No comments:
Post a Comment