Can we copy trust?
Dave Howe
DaveHowe at gmx.co.uk
Tue Jun 3 16:47:01 EDT 2008
Ben Laurie wrote:
> Ed Gerck wrote:
>> Ben Laurie wrote:
>>> But doesn't that prove the point? The trust that you consequently
>>> place in the web server because of the certificate _cannot_ be copied
>>> to another webserver. That other webserver has to go out and buy its
>>> own copy, with its own domain name it it.
>>
>> A copy is something identical. So, in fact you can copy that server
>> cert to another server that has the same domain (load balancing), and
>> it will work. Web admins do it all the time. The user will not notice
>> any difference in how the SSL will work.
>
> Obviously. Clearly I am talking about a server in a different domain.
Up until recently, you could buy a cert for one domain, use *it* to
issue a cert for another domain, and the major web browsers wouldn't
kick at the traces provided you sent both certs in the ssl handshake.
Thankfully, they fixed that before *too* many phishers figured it out.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list