Sign in with
Sign up | Sign in
Your question

Question: Digital certificates and impersonation

Last response: in Networking
Share
Anonymous
January 13, 2005 10:06:42 AM

Archived from groups: comp.dcom.vpn (More info?)

Suppose someone is able to compromise my DNS
Suppose now I try to establish an IPSec tunnel to my Cisco concentrator
but I end up connecting to a different malicious concentrator.
Suppose this malicious concentrator has a valid Certificate signed by a
known CA.
Would my Cisco VPN client realize there's something wrong during its
peer identity validation ?

thank you for your answers
Anonymous
January 13, 2005 6:08:27 PM

Archived from groups: comp.dcom.vpn (More info?)

kate0104@hotmail.com wrote:
> Suppose someone is able to compromise my DNS
> Suppose now I try to establish an IPSec tunnel to my Cisco concentrator
> but I end up connecting to a different malicious concentrator.
> Suppose this malicious concentrator has a valid Certificate signed by a
> known CA.
> Would my Cisco VPN client realize there's something wrong during its
> peer identity validation ?
>
> thank you for your answers
>

Unless somebody has pulled one over on the CA the common name won't match.
Anonymous
January 13, 2005 6:25:04 PM

Archived from groups: comp.dcom.vpn (More info?)

Larry Riffle wrote:
> kate0104@hotmail.com wrote:
> > Suppose someone is able to compromise my DNS
> > Suppose now I try to establish an IPSec tunnel to my Cisco
concentrator
> > but I end up connecting to a different malicious concentrator.
> > Suppose this malicious concentrator has a valid Certificate signed
by a
> > known CA.
> > Would my Cisco VPN client realize there's something wrong during
its
> > peer identity validation ?
> >
> > thank you for your answers
> >
>
> Unless somebody has pulled one over on the CA the common name won't
match.

So is the host name I enter in my Cisco VPN client checked against the
common name ? or does my client only verify I'm connecting with a
concentrator with a valid certificate (even if belonging to a
completely different concentrator) ?
What is not clear to me (and I haven't been able to find some
clarifying document on Cisco website) is if the ip address / hostname I
enter in my Cisco client are checked against some field in the
concentrator (valid) certificate.
Related resources
Anonymous
January 14, 2005 12:16:12 PM

Archived from groups: comp.dcom.vpn (More info?)

kate0104@hotmail.com wrote:
> Larry Riffle wrote:
>
>>kate0104@hotmail.com wrote:
>>
>>>Suppose someone is able to compromise my DNS
>>>Suppose now I try to establish an IPSec tunnel to my Cisco
>
> concentrator
>
>>>but I end up connecting to a different malicious concentrator.
>>>Suppose this malicious concentrator has a valid Certificate signed
>
> by a
>
>>>known CA.
>>>Would my Cisco VPN client realize there's something wrong during
>
> its
>
>>>peer identity validation ?
>>>
>>>thank you for your answers
>>>
>>
>>Unless somebody has pulled one over on the CA the common name won't
>
> match.
>
> So is the host name I enter in my Cisco VPN client checked against the
> common name ? or does my client only verify I'm connecting with a
> concentrator with a valid certificate (even if belonging to a
> completely different concentrator) ?
> What is not clear to me (and I haven't been able to find some
> clarifying document on Cisco website) is if the ip address / hostname I
> enter in my Cisco client are checked against some field in the
> concentrator (valid) certificate.
>

I can't speak to that specific product. If they don't compare the
endpoint name to the common name or a subject alternate name then I
don't see how they can legitimately call what they do X509 certificate
support.
Anonymous
January 18, 2005 9:52:28 PM

Archived from groups: comp.dcom.vpn (More info?)

Larry,

The purpose for a digital certificate is to prevent someone spoofing
your site. When you browser connect to a website with a digital
certificate it checks for three things.

1. Does the name on the digital Certificate match the name of the site
you are accessing

2. Is the certificate signed by a recognized authority? I.e. Verisign
or RSA

3. Is the date on the certificate valid?

If any of these three fail, your browser will give you an error
message. Each time you connect to your site, verify that you have a
secure connection. There are other things that you can do to further
secure your site from being spoofed. For instance, you can add a
reverse DNS lookup requirement so that the browser not only checks for
the validity of the digital certificate, it also verifies that that the
IP address of the site to which you are connecting matches the address
registered on DNS.
!