WebApp Sec mailing list archives
Authenticating a web server
From: Amit Sharma <amit.sharma () linuxwaves com>
Date: 28 Mar 2004 14:04:56 -0000
Hi list, Was wondering what are the various ways for authenticating a web server. By this, I mean, how do I know if I am talking to the rite server and not any phony website? Option # 1 To my understanding, we can verifying the identity of the server if it has a a certificate seal on its website. Something similar to what is issued by verisign. But then, to me, it doesn't look like a full proof solution since the security logo that verisign provides and provides links to, can also be made phony. Do verisign people patrol for phony logos of their security seal? Option # 2 How about storing the header ( HTTP/HTTPS ) information of the web server such as the web server version and other specific details which do not change quite often for authenticating purpose. This can be used to cross check with the header info. of a phony website claiming to be the original one. Typically, attackers building phony websites just duplicate the look and feel of the original website without actually bothering about modifying the header information as well. am sure there must be better ways for authenticating a web server. Would like to have some expert comments from Web Application Security gurus. Gracias, Amit --- Whoops! There are still thousands of nuclear weapons in the world
Current thread:
- Authenticating a web server Amit Sharma (Mar 28)
- Re: Authenticating a web server Steve Suehring (Mar 28)
- <Possible follow-ups>
- RE: Authenticating a web server Imperva Application Defense Center (Mar 28)