httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: [users@httpd] Namebased Virtual Hosts
Date Tue, 17 Oct 2006 18:34:02 GMT
On 10/17/06, Serge Dubrouski <> wrote:

> > The channel is encrypted, but you have no idea who encrypted it.  It
> > could, for example, be a "man in the middle" that puts himself on the
> > wire between you and server, decrypts the original content,
> Tell me how would you do that without server's private key????? It
> doesn't matter who issued the certficate, encryption is always the
> same, based on a server's private key. So you have to steal it first.

The man-in-the-middle appears like any-old client to the server.  If
you need this in more detail:

1. client makes request that it intends for server.

2. man-in-the-middle pretends to be server, negotiates encryption with
client, and accepts request.

3. man-in-the-middle pretends to be client, negotiations encryption
with server, and makes the request to server.

4. server sends response to man-in-the-middle, who decrypts it, saves
it, and re-encrypts it and resends to client.  The server has no way
to verify the identity of the client, and the client can only verify
the identity of the server if it uses a proper certificate.

> The real problem with self signed certificates is that they don't
> guarantee that company A to which certificate was issued to us really
> company A and not something else. CA has to check all data that is put
> into certificate before issuing it. But on other hand browser now
> always contact CAs to verify certificates. Is OCSP enabled in your
> browser by default?

The only really important thing in the certificate is the hostname,
since that is the only thing that the typical user can easily verify
(by looking at the URL-bar of their browser).  Everything else is
buried deep in browser menus and rarely gets used.  So when I do
online-banking, I verify that I have an encrypted connection (without
any certificate warnings) and that the url-bar has the correct site.
Provided I am confident that I know the domain name of my bank, that
isn't too bad security-wise.

But if the server certificate is not right, you're screwed.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message