[Nottingham] Will HTTPS be safe against a spoofed IP address?

Godfrey Nix godfrey at gnnix.co.uk
Thu Oct 28 23:29:12 BST 2004

On Thu, 2004-10-28 at 16:15, Michael Erskine wrote:
> Hi all,
> I've been setting up secure webservers at each of my company's sites and I'm 
> eager to ensure that we only allow access to certain parties. This we can 
> easily do at the IP address level at the various firewalls or within the 
> webserver configurations. Do encrypted HTTPS sessions somehow protect against 
> the various forms of IP spoofing?
> Regards,
> Michael.

I think the short answer is, NO. If someone is spoofing an address it is
also possible for them to generate their own secure certificate claiming
to be any domain they want.

What visitors to the site need to be aware of is how to check the
certificate - who it was issued by, whom it was issued to and what level
of validation/authentication checking was carried out before the
certificate was issued. And *ALWAYS* check the certificate of any secure
site you visit.

The two levels of authentication used by most CA's (certification
authorities) are -

quick = just check the email address matches that of the domain
registration, and send email to tech contact asking confirmation

full = check that organisation asking for certificate legally exists and
that it has a right to use the domain; that it has a phone land line in
the name of the organisation listed in a phone directory and the named
person can be reached on that phone number.

You can see the level of authentication that has been used by checking
on the details given in the certificate (eg in Mozilla it is View--Page
Info--Security). If the certificate just shows the domain name then it
was done 'quick' but if it shows organisation name then it was 'full'

Hope this helps,

Godfrey Nix

More information about the Nottingham mailing list