| Author |
Question: Digital certificates and impersonation
|
|
| kate0104@hotmail.com 2005-01-13, 5:45 pm |
| Suppose someone is able to compromise my DNS
Suppose now I try to establish an IPSec tunnel to my cisco concentrator
but I end up connecting to a different malicious concentrator.
Suppose this malicious concentrator has a valid Certificate signed by a
known CA.
Would my cisco VPN client realize there's something wrong during its
peer identity validation ?
thank you for your answers
| |
| Larry Riffle 2005-01-13, 5:45 pm |
| kate0104@hotmail.com wrote:
> Suppose someone is able to compromise my DNS
> Suppose now I try to establish an IPSec tunnel to my cisco concentrator
> but I end up connecting to a different malicious concentrator.
> Suppose this malicious concentrator has a valid Certificate signed by a
> known CA.
> Would my cisco VPN client realize there's something wrong during its
> peer identity validation ?
>
> thank you for your answers
>
Unless somebody has pulled one over on the CA the common name won't match.
| |
| kate0104@hotmail.com 2005-01-13, 5:45 pm |
|
Larry Riffle wrote:
> kate0104@hotmail.com wrote:
concentrator[vbcol=seagreen]
by a[vbcol=seagreen]
its[vbcol=seagreen]
>
> Unless somebody has pulled one over on the CA the common name won't
match.
So is the host name I enter in my cisco VPN client checked against the
common name ? or does my client only verify I'm connecting with a
concentrator with a valid certificate (even if belonging to a
completely different concentrator) ?
What is not clear to me (and I haven't been able to find some
clarifying document on cisco website) is if the ip address / hostname I
enter in my cisco client are checked against some field in the
concentrator (valid) certificate.
| |
| Larry Riffle 2005-01-14, 8:45 pm |
| kate0104@hotmail.com wrote:
> Larry Riffle wrote:
>
>
> concentrator
>
>
> by a
>
>
> its
>
>
> match.
>
> So is the host name I enter in my cisco VPN client checked against the
> common name ? or does my client only verify I'm connecting with a
> concentrator with a valid certificate (even if belonging to a
> completely different concentrator) ?
> What is not clear to me (and I haven't been able to find some
> clarifying document on cisco website) is if the ip address / hostname I
> enter in my cisco client are checked against some field in the
> concentrator (valid) certificate.
>
I can't speak to that specific product. If they don't compare the
endpoint name to the common name or a subject alternate name then I
don't see how they can legitimately call what they do X509 certificate
support.
| |
| Victor Marte 2005-01-19, 2:45 am |
|
Larry,
The purpose for a digital certificate is to prevent someone spoofing
your site. When you browser connect to a website with a digital
certificate it checks for three things.
1. Does the name on the digital Certificate match the name of the site
you are accessing
2. Is the certificate signed by a recognized authority? I.e. Verisign
or RSA
3. Is the date on the certificate valid?
If any of these three fail, your browser will give you an error
message. Each time you connect to your site, verify that you have a
secure connection. There are other things that you can do to further
secure your site from being spoofed. For instance, you can add a
reverse DNS lookup requirement so that the browser not only checks for
the validity of the digital certificate, it also verifies that that the
IP address of the site to which you are connecting matches the address
registered on DNS.
|
|
|
|