WebApp Sec mailing list archives

RE: Authenticating a web server

From: "Imperva Application Defense Center" <adc () imperva com>
Date: Sun, 28 Mar 2004 16:54:23 +0200

The Verisign Logo can be faked as much wanted. It is just an indication
for the real security practice taken in the regard of the Web Server's
authenticity.

Assuming you are connecting to the serverin SSL, you are supposed to
receive a certificate from the server. This certificate holds the
server's identify, and must match the server's FQDN. This certificate,
should be signed by someone you trust (e.g. VeriSign). This signature
can be verified against the certificate (containing the public key) of
VeriSign.

All this, assumes of course, that you DO trust VeriSign, and their
manual verification procedures (such as phone calls, personal
identification, etc.), and that you were able to get VeriSign's
certificate in a secure manner (no man in the middle possible attack).


Personally I believe that relying on headers is very insecure, as an
attacker that wishes to fake your server, will have an easy time forging
the headers as well.

Sincerely,

--
Ofer Maor
Application Defense Center Manager
Imperva
http://www.imperva.com/adc


-----Original Message-----
From: Amit Sharma [mailto:amit.sharma () linuxwaves com] 
Sent: Sunday, March 28, 2004 4:05 PM
To: webappsec () securityfocus com
Subject: Authenticating a web server




Hi list,



Was wondering what are the various ways for authenticating a web server.
By this, I mean, how do I know if I am talking to the rite server and
not any phony website?



Option # 1

To my understanding, we can verifying the identity of the server if it
has a a certificate seal on its website. Something similar to what is
issued by verisign. But then, to me, it doesn't look like a full proof
solution since the security logo that verisign provides and provides
links to, can also be made phony. Do verisign people patrol for phony
logos of their security seal?





Option # 2

How about storing the header ( HTTP/HTTPS ) information of the web
server such as the web server version and other specific details which
do not change quite often for authenticating purpose. This can be used
to cross check with the header info. of a phony website claiming to be
the original one. Typically, attackers building phony websites just
duplicate the look and feel of the original website without actually
bothering about modifying the header information as well. 



am sure there must be better ways for authenticating a web server. Would
like to have some expert comments from Web Application Security gurus.



Gracias,

Amit



---

Whoops! There are still thousands of nuclear weapons in the world

Current thread:

Authenticating a web server Amit Sharma (Mar 28)
- Re: Authenticating a web server Steve Suehring (Mar 28)
- <Possible follow-ups>
- RE: Authenticating a web server Imperva Application Defense Center (Mar 28)