Re: How to tell a fake SSL certificate from a real one

Aaron wrote:

> Anonymous Sender <anonymous@remailer.metacolo.com> wrote in
> news:6dda6448ead9cb5bb66f2e45a96775b7@remailer.met acolo.com:
>
>
> >> Does anyone have an example of a situation we can go to in order to
> >> see what a "real" SSL forgery looks like to the user as they try to
> >> log into their email web site?
> >
> > It will look exactly the same if this is how the forgers are trying to
> > attack you. Except the names will have changed of course... "You have
> > attempetd to establish a connection with www.mybank.com, how ever the
> > certificate belongs to XXXX". Or it will be unsigned, or won't match
> > the cert you've received on previous visits to your bank site. Or more
> > likely a combination of all three.
>
> Seems to be the bottom line here.
>
> I thought I basically understood how SSL works, but i guess it can be
> really confusing.

It can be made confusing anyway. ;-)

The underlying principals and actions you should take are fairly
straightforward. If you get an error *read it*. If you don't understand
it, stop. Only when you've figured it out should you continue.

> I don't know about all this ssl intercepting thingies, but i used to have a
> setup involving a local proxy, proxomitron handling https as well. I had to
> accept a local (self-signed???) cert from proximitron (that i downloaded)
> before it could work.
>
> I presume anyone in the TOR chain that tried to do so, would cause the same
> thing?

Yes, that's essentially what an evil Tor node attempts and the same
sort of error you'll get. The wording may be different because there's
different errors, different browsers will represent them in their own
"language", and I don't remember what the specific problem with the
Proximitron cert was, but the principals are the same. Something or
things won't "jive". For evil Tor nodes and other MITM attackers, even
ones with certs signed by trusted authorities, it will most likely be
something akin to "The cert doesn't match the site you're connecting
to". It's not the only scenario that can generate that error, but MITM
attacks will almost always generate them.