Timeline for Understanding digitial certifications
Current License: CC BY-SA 3.0
11 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 16, 2020 at 9:49 | history | edited | CommunityBot | Commonmark migration | |
| Aug 29, 2015 at 6:53 | comment | added | Noob | mike, i hope you are still here. with the information here, i am trying to put everything in a whole picture @ security.stackexchange.com/questions/98055/… - hope to seek your opinion and wisdom | |
| Jul 13, 2015 at 0:59 | vote | accept | Noob | ||
| Jul 12, 2015 at 15:07 | comment | added | Mike Ounsworth | Yes, that is a viable attack. Browsers will check that the cert you've been given matches the domain that you requested, so ultimately the user is responsible for looking at the URL in a link, or the address bar every time they load a new site. Even there, there are misleading things you can do with URLs, for example [email protected] will actually take you directly to stackexchange, not reddit. | |
| Jul 12, 2015 at 6:42 | comment | added | Noob | sorry for not being able to elaborate clearly. what i meant is actually having the so call "stranger", faking the message, the hash, and signing the hash with his own key + giving us his digital cert with his public key. The public cert though is a valid one given by the CA (due to some x,y reason, the checking went through). So here i am, as a user requesting to go to www.real.com, but somehow got routed to www.false.com, given a false digital cert, having a false message + signed hash; and then using the public key in the cert to decrypt the message and think its all real. | |
| Jul 11, 2015 at 22:18 | comment | added | Mike Ounsworth | I'm not entirely sure what you're asking, but yes, your browser will complain pretty hard if it requests content from www.siteA.com but gets handed a cert for www.siteB.com . | |
| Jul 11, 2015 at 19:38 | comment | added | Noob | thanks for explaining further. is there any chance that a hacker (maybe using his brother's company name) have obtained a signed cert from a CA. When a user attempt to access www.real.com, somehow the hacker managed to route this request to his own webserver and send his digital cert (which is verified by the CA) to the user ? will the end user browser check the cert retrieved contain and matches the domain name the browser is trying to access ? | |
| Jul 11, 2015 at 14:00 | comment | added | Mike Ounsworth | That's not a simple question, so I updated my answer, rather than do it in comments. | |
| Jul 11, 2015 at 13:59 | history | edited | Mike Ounsworth | CC BY-SA 3.0 | addressed the question from comments |
| Jul 11, 2015 at 11:44 | comment | added | Noob | thanks for the explanation. what if someone (that fake person) also send you his public key. So he uses his own fake message, hashed it, encrypted with his own private key. and you holding on to his public key, is able to decrypt it and thought that the message is real ? | |
| Jul 10, 2015 at 19:54 | history | answered | Mike Ounsworth | CC BY-SA 3.0 |