0

I want to make sure that I am connecting to the right server with my client side (it's an encrypted chat, irrelevant) I am using SSL3. Can someone just fake a certificate? Can I really trust that the connection is to the right server?

Anders
  • 65,052
  • 24
  • 180
  • 218

1 Answers1

0

TL,DR: Yes, you can trust the certificate.

Long version:

You browser have a list of trustworthy entities, named Certificate Authorities (or CA, for short). They have the task of signing SSL certificates along the way. They must comply to a lot of rules, and if they mess up, they can be axed from this list, and all certificates they emitted got invalid overnight.

(That happened with DigiNotar)

When anyone wants a SSL certificate( e.g John Doe), he goes to one of those companies, and ask for one. Usually the issuer have some kind of verification to determine if you owns the certificate you are asking a certificate for. If so, you get the certificate (it's just a text file) and put it on your webserver.

The certificate can be changed if you are under a corporate proxy that performs SSL traffic inspection (an intercepting proxy). They intercept the connection, decrypts the traffic, analyses, creates another certificate, and sends back. In this case, a certificate appearing to be from Google.com was not issued for Google, but instead issued from your proxy.

Sometimes, people can get a certificate for a domain they don't own. That usually happens when those people intend to perform a phishing attack against the users of the legitimate domain.

If someone issued a certificate without using the services of the CA, your browser will complain. Depending on how the certificate was created, it will say the certificate is self-signed, or the certificate chain is invalid. In this cases, you obviously cannot trust it.

So, except in almost negligible situations, you can trust the certificate.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149