You can't use another website's certificate because when you replace the certificate's domain name with yours the certificate would become invalid (due to hashing). However, if you could make a user connect to a totally different IP-adress when they type www.google.com you could keep the certificate's domain name the same and thuss circumvent that security measure.
Is there a system in place that prevents you from doing this in either SSL or DNS? Or alternatively, is my understanding of SSL and DNS wrong?
Asked
Active
Viewed 1,213 times
1
Galian Prist
- 11
- 2
1 Answers
0
Yes, SSL/TLS also protects you against spoofed DNS answers (at least for those connections which actually use TLS). The reason behind this is that a client has to compare the hostname you enter (in the Browser URL bar) with the hostnames listed in the certificate.
If you now get redirected to a wrong IP address this host has either a different hostname in the certificate, or it contains a hostname where it does not get CA signature for. Both will be flagged as a problem by the browser. You can also not steal a certificate from a valid host, because in order to use it as a server you also need its secret key.
This however only works if all hundreds of CAs of this world play by the rules and all clients do the checking.
eckes
- 962
- 8
- 19