[Nottingham] Will HTTPS be safe against a spoofed IP address?

[Michael Erskine]

On Thursday 28 October 2004 18:25, Peter Taffs wrote:
> The certificate presented from the server back to the client contains
> the common name of the server "www.nationwide.co.uk" for example, which
> the client uses to compare with where connection is meant to be to
> (regardless of IP -- I think).
>
> You mention servers, Michael, so you'd know about obtaining server
> certificates? Who is your certificate authority?

Our servers have temporary certificates -- I'm not too concerned about 
authenticating the servers (that's up to the client accepting or rejecting 
the certificate), it's more about authenticating the clients and ensuring 
that they are actually our employees at the allowed IP addresses.

> If you have fixed client certificates you can confirm those, ensuring
> both sides are known. This is a difficult topic to resolve, I've done
> it at work and it took several meetings to sort it out.
>
> The pessimistic answer to
>
>  >> Do encrypted HTTPS sessions somehow protect against the various
>
> forms of IP spoofing?
> would be no. But it's pretty good and I'd use it for confidential
> information.

It seems to be much as I thought; it is possible for a client to pretend to be 
originating from another IP address but it is rather difficult to perform, 
especially for a lengthy conversation. In general I trust iptables so I 
should quit worrying.

Thanks for all your answers.

Michael.