Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Authenticating a web server
From: Amit Sharma <amit.sharma () linuxwaves com>
Date: 28 Mar 2004 14:04:56 -0000


Hi list,

Was wondering what are the various ways for authenticating a web server. By this, I mean, how do I know if I am talking 
to the rite server and not any phony website?

Option # 1
To my understanding, we can verifying the identity of the server if it has a a certificate seal on its website. 
Something similar to what is issued by verisign. But then, to me, it doesn't look like a full proof solution since the 
security logo that verisign provides and provides links to, can also be made phony. Do verisign people patrol for phony 
logos of their security seal?


Option # 2
How about storing the header ( HTTP/HTTPS ) information of the web server such as the web server version and other 
specific details which do not change quite often for authenticating purpose. This can be used to cross check with the 
header info. of a phony website claiming to be the original one. Typically, attackers building phony websites just 
duplicate the look and feel of the original website without actually bothering about modifying the header information 
as well. 

am sure there must be better ways for authenticating a web server. Would like to have some expert comments from Web 
Application Security gurus.

Gracias,
Amit

---
Whoops! There are still thousands of nuclear weapons in the world

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]