1

I have done a small test and result is as expected, but I am trying to understand more. I have configured a fake DNS server to resolve all names to the IP of my VPS. On my VPS, I installed a web server with SSL, then set my client computer DNS to fake DNS.

when I ping from CMD tool to Facebook.com the server resolves the IP to VPS web server IP (this is good). When I am trying open Facebook from chrome browser it says connection is insecure, but if direct try open IP of VPS with HTTPS it is successful.

I want to understand how Chrome check connection is insecure before handshake with real Facebook? If VPS also includes a real SSL certificate why does chrome not open successfully? According to my understanding Chrome gets the IP of domain (Facebook) from fake DNS, and tries to open IP of Facebook. (VPS IP in this case) If remote VPS also includes SSL that opens successfully if I try direct IP of VPS, why don't other web sites forward to VPS with SSL connection?

My browser's message is:

www.facebook.com normally uses encryption to protect your information. When Google Chrome tried to connect to www.facebook.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.facebook.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
David
  • 15,939
  • 3
  • 50
  • 73
FariZ
  • 113
  • 4
  • Because Chrome cannot validate fake SSL certificate. Because it is fake (not trusted). – Crypt32 Feb 01 '18 at 21:15
  • SSL is not fake. we get payed SSL, it works for our domain. DNS is fake which resolve all domain to our domain – FariZ Feb 01 '18 at 21:17
  • I think our SSL include different domain name and it is not march which chrome requested domain, but not sure – FariZ Feb 01 '18 at 21:18
  • 1
    Then you get name mismatch error. Actually, Chrome provides exact error in the message. Did you read it? – Crypt32 Feb 01 '18 at 21:20
  • added to question – FariZ Feb 02 '18 at 03:46
  • This is answered in detail in [SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?](https://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity). The main details are: chain must be trusted (which is true in your case) and subject of certificate must match the domain in URL (which is not in your case). – Steffen Ullrich Feb 02 '18 at 04:20
  • it is clear now. So I want to know is it possible to open to VPS web site by type facebook.com sucessfully (without warning) ? or it is impossible ? – FariZ Feb 02 '18 at 05:27

1 Answers1

0

While your VPS may have a valid certificate for your domain, your browser is expecting the certificate ot match www.facebook.com. Without a trusted certificate for that domain, the browser will be unable to connect over HTTPS.

Having a certificate for one domain is not good enough to establish a TLS connection for any other domain.

David
  • 15,939
  • 3
  • 50
  • 73