0

Let's say I am behind my PC and want to go to any secured website (HTTPS). I have the direct IP address so any possible hack on DNS level is not possible (because I am not using it ;) ).

The packet which is going to the right place (to the secured website) goes through different ISP servers.

Some malicious hacker is sitting on one of those servers between me and the website. He responds with a wrong certificate and tries to make a secure connection with me sitting behind my PC. He is faking that he is the website.

When someone purchased a certificate from VeriSign for example they always asks for a domain name.

From that point I am the only one with a certificate for that domain. A hacker can't purchase a certificate with the same domain name (correct me if this is wrong!!).

So my question is: Is a web browser (Firefox, IE, Chrome, Opera, Safari etc.) capable of detecting that the certificate is not for the corresponding domain, and give an error back that something strange happened along the way?

If you have any more information on this topic, please tell me.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
  • "From that point I am the only one with a certificate from that domain." Why? –  Jan 12 '15 at 10:11
  • When I purchase an certificate the company who will give me one will check if I am the owner of the domain. If I can prove if this is true then they will give me an certificate. Of course I can purchase more certificates for one domain. But the malicious hacker is not able in getting an certificate with my domain name in it, because he/she can not prove that the domain is his/her domain. –  Jan 12 '15 at 10:15
  • That will only last until the certificate gets used. Of course, it _should_ still be the case that the only certificate(s) for that site is(/are) for your public key(s). –  Jan 12 '15 at 10:17
  • 1
    Sorry, I am not following you right now. Can give some more info? –  Jan 12 '15 at 10:24
  • Certificates are usually sent in clear, so it would usually be easy for someone else to get a copy of your certificate. –  Jan 12 '15 at 10:32
  • As you explicitly mentioned 'on first contact' there is still a great risk that the attacker just replaces your HTTPS connection with a HTTP one. Google for 'SSLStrip' if you want to know more. HSTS may protect you from SSLStrip, unless it is the very first time you are connecting to the target website. – Michael Jan 12 '15 at 11:13
  • If I would explicitly type in the browser https://... would it still be possible to do an downgrade attack? –  Jan 12 '15 at 15:07
  • No, it would not. – Michael Jan 12 '15 at 16:06

1 Answers1

2

To the best of my knowledge the problem you'll encounter in the described scenario is that certificates don't usually work by IP address

This may vary from site to site, so test against your desired site by browsing to it via IP and seeing if you get a valid HTTPS connection.

The rest of the question is more straightforward - yes browsers will give you a certificate error if there's an issue with the cert. Unfortunately most users just click through these errors because they don't care or know enough to understand the risk.

You are correct in thinking that it's not possible to buy a certificate for a domain someone already has the certificate for - or not from a trusted CA (Certificate Authority) anyway. What an attacker will usually do is self-sign a certificate, so if you inspect it, it will show as being for the correct site, but browsers should throw a warning at you because the CA is untrusted.

AlexH
  • 1,168
  • 6
  • 8
  • Thanks this is really helping. Would it be possible for an hacker to download my certificate from my site and use it? –  Jan 12 '15 at 10:25
  • May be worth reading here: http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work But in short, no, they would need your private key from your server (which would require compromising the machine). – AlexH Jan 12 '15 at 10:26
  • Thanks. So if I try google (https://google.com) will work but when I try the ip address (https://173.194.79.99/) it is giving me an certificate error of untrusted.... But it is possible to purchase an certificate based on ip address, right? –  Jan 12 '15 at 10:34
  • Yeah, the browser tries to match the certificate against what's in the URL bar, and since the certificate is for google.com it comes back as invalid. Some places will have SSL certificates on their IP addresses, but I suspect it would be a nightmare for Google to manage that with the number IPs they have! – AlexH Jan 12 '15 at 10:37
  • That would be an nightmare indeed! But just to be sure it is possible to purchase an Certificate for an ip address right? –  Jan 12 '15 at 10:38
  • It is, yes. I don't want to advertise any certificate authority in particular, but a Google for "certificate for IP address" will bring you a list of places that offer them. – AlexH Jan 12 '15 at 10:42