[Nottingham] Will HTTPS be safe against a spoofed IP address?

Peter Taffs ptaffs at btinternet.com
Thu Oct 28 18:25:41 BST 2004


The certificate presented from the server back to the client contains 
the common name of the server "www.nationwide.co.uk" for example, which 
the client uses to compare with where connection is meant to be to 
(regardless of IP -- I think).

You mention servers, Michael, so you'd know about obtaining server 
certificates? Who is your certificate authority?

If you have fixed client certificates you can confirm those, ensuring 
both sides are known. This is a difficult topic to resolve, I've done 
it at work and it took several meetings to sort it out.

The pessimistic answer to
 >> Do encrypted HTTPS sessions somehow protect against the various 
forms of IP spoofing?
would be no. But it's pretty good and I'd use it for confidential 
information.

Peter

On 28 Oct 2004, at 16:15, Michael Erskine wrote:

> Hi all,
>
> I've been setting up secure webservers at each of my company's sites 
> and I'm
> eager to ensure that we only allow access to certain parties. This we 
> can
> easily do at the IP address level at the various firewalls or within 
> the
> webserver configurations. Do encrypted HTTPS sessions somehow protect 
> against
> the various forms of IP spoofing?
>
> Regards,
> Michael.
>
> -- 
>
> "I am not a (good) lawyer"
>
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/nottingham
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1424 bytes
Desc: not available
Url : http://mailman.lug.org.uk/pipermail/nottingham/attachments/20041028/ded69f77/attachment.bin


More information about the Nottingham mailing list