[cap-talk] RFC 2818 and Petname
Bill Frantz
frantz at pwpconsult.com
Fri Dec 5 00:57:13 EST 2008
RFC 2818 says:
In general, HTTP/TLS requests are generated by dereferencing a URI.
As a consequence, the hostname for the server is known to the client.
If the hostname is available, the client MUST check it against the
server's identity as presented in the server's Certificate message,
in order to prevent man-in-the-middle attacks.
...
Note that in many cases the URI itself comes from an untrusted
source. The above-described check provides no protection against
attacks where this source is compromised. For example, if the URI was
obtained by clicking on an HTML page which was itself obtained
without using HTTP/TLS, a man in the middle could have replaced the
URI. In order to prevent this form of attack, users should carefully
examine the certificate presented by the server to determine if it
meets their expectations.
And the Petname tool is one way of carefully examining the certificate. :-)
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | When it comes to the world | Periwinkle
(408)356-8506 | around us, is there any choice | 16345 Englewood Ave
www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos, CA 95032
More information about the cap-talk
mailing list