[Nottingham] Will HTTPS be safe against a spoofed IP address?
Peter Taffs
ptaffs at btinternet.com
Thu Oct 28 18:25:41 BST 2004
The certificate presented from the server back to the client contains
the common name of the server "www.nationwide.co.uk" for example, which
the client uses to compare with where connection is meant to be to
(regardless of IP -- I think).
You mention servers, Michael, so you'd know about obtaining server
certificates? Who is your certificate authority?
If you have fixed client certificates you can confirm those, ensuring
both sides are known. This is a difficult topic to resolve, I've done
it at work and it took several meetings to sort it out.
The pessimistic answer to
>> Do encrypted HTTPS sessions somehow protect against the various
forms of IP spoofing?
would be no. But it's pretty good and I'd use it for confidential
information.
Peter
On 28 Oct 2004, at 16:15, Michael Erskine wrote:
> Hi all,
>
> I've been setting up secure webservers at each of my company's sites
> and I'm
> eager to ensure that we only allow access to certain parties. This we
> can
> easily do at the IP address level at the various firewalls or within
> the
> webserver configurations. Do encrypted HTTPS sessions somehow protect
> against
> the various forms of IP spoofing?
>
> Regards,
> Michael.
>
> --
>
> "I am not a (good) lawyer"
>
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/nottingham
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1424 bytes
Desc: not available
Url : http://mailman.lug.org.uk/pipermail/nottingham/attachments/20041028/ded69f77/attachment.bin
More information about the Nottingham
mailing list