[125225] in cryptography@c2.net mail archive
Re: Can we copy trust?
daemon@ATHENA.MIT.EDU (Dave Howe)
Tue Jun 3 21:26:22 2008
Date: Tue, 03 Jun 2008 21:47:01 +0100
From: Dave Howe <DaveHowe@gmx.co.uk>
To: Email List - Cryptography <cryptography@metzdowd.com>
In-Reply-To: <4844AE47.4080006@links.org>
Ben Laurie wrote:
> Ed Gerck wrote:
>> Ben Laurie wrote:
>>> But doesn't that prove the point? The trust that you consequently
>>> place in the web server because of the certificate _cannot_ be copied
>>> to another webserver. That other webserver has to go out and buy its
>>> own copy, with its own domain name it it.
>>
>> A copy is something identical. So, in fact you can copy that server
>> cert to another server that has the same domain (load balancing), and
>> it will work. Web admins do it all the time. The user will not notice
>> any difference in how the SSL will work.
>
> Obviously. Clearly I am talking about a server in a different domain.
Up until recently, you could buy a cert for one domain, use *it* to
issue a cert for another domain, and the major web browsers wouldn't
kick at the traces provided you sent both certs in the ssl handshake.
Thankfully, they fixed that before *too* many phishers figured it out.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
