Question: Digital certificates and impersonation

Archived from groups: comp.dcom.vpn (More info?)

Suppose someone is able to compromise my DNS
Suppose now I try to establish an IPSec tunnel to my Cisco concentrator
but I end up connecting to a different malicious concentrator.
Suppose this malicious concentrator has a valid Certificate signed by a
known CA.
Would my Cisco VPN client realize there's something wrong during its
peer identity validation ?

thank you for your answers
4 answers Last reply
More about question digital certificates impersonation
  1. Archived from groups: comp.dcom.vpn (More info?)

    kate0104@hotmail.com wrote:
    > Suppose someone is able to compromise my DNS
    > Suppose now I try to establish an IPSec tunnel to my Cisco concentrator
    > but I end up connecting to a different malicious concentrator.
    > Suppose this malicious concentrator has a valid Certificate signed by a
    > known CA.
    > Would my Cisco VPN client realize there's something wrong during its
    > peer identity validation ?
    >
    > thank you for your answers
    >

    Unless somebody has pulled one over on the CA the common name won't match.
  2. Archived from groups: comp.dcom.vpn (More info?)

    Larry Riffle wrote:
    > kate0104@hotmail.com wrote:
    > > Suppose someone is able to compromise my DNS
    > > Suppose now I try to establish an IPSec tunnel to my Cisco
    concentrator
    > > but I end up connecting to a different malicious concentrator.
    > > Suppose this malicious concentrator has a valid Certificate signed
    by a
    > > known CA.
    > > Would my Cisco VPN client realize there's something wrong during
    its
    > > peer identity validation ?
    > >
    > > thank you for your answers
    > >
    >
    > Unless somebody has pulled one over on the CA the common name won't
    match.

    So is the host name I enter in my Cisco VPN client checked against the
    common name ? or does my client only verify I'm connecting with a
    concentrator with a valid certificate (even if belonging to a
    completely different concentrator) ?
    What is not clear to me (and I haven't been able to find some
    clarifying document on Cisco website) is if the ip address / hostname I
    enter in my Cisco client are checked against some field in the
    concentrator (valid) certificate.
  3. Archived from groups: comp.dcom.vpn (More info?)

    kate0104@hotmail.com wrote:
    > Larry Riffle wrote:
    >
    >>kate0104@hotmail.com wrote:
    >>
    >>>Suppose someone is able to compromise my DNS
    >>>Suppose now I try to establish an IPSec tunnel to my Cisco
    >
    > concentrator
    >
    >>>but I end up connecting to a different malicious concentrator.
    >>>Suppose this malicious concentrator has a valid Certificate signed
    >
    > by a
    >
    >>>known CA.
    >>>Would my Cisco VPN client realize there's something wrong during
    >
    > its
    >
    >>>peer identity validation ?
    >>>
    >>>thank you for your answers
    >>>
    >>
    >>Unless somebody has pulled one over on the CA the common name won't
    >
    > match.
    >
    > So is the host name I enter in my Cisco VPN client checked against the
    > common name ? or does my client only verify I'm connecting with a
    > concentrator with a valid certificate (even if belonging to a
    > completely different concentrator) ?
    > What is not clear to me (and I haven't been able to find some
    > clarifying document on Cisco website) is if the ip address / hostname I
    > enter in my Cisco client are checked against some field in the
    > concentrator (valid) certificate.
    >

    I can't speak to that specific product. If they don't compare the
    endpoint name to the common name or a subject alternate name then I
    don't see how they can legitimately call what they do X509 certificate
    support.
  4. Archived from groups: comp.dcom.vpn (More info?)

    Larry,

    The purpose for a digital certificate is to prevent someone spoofing
    your site. When you browser connect to a website with a digital
    certificate it checks for three things.

    1. Does the name on the digital Certificate match the name of the site
    you are accessing

    2. Is the certificate signed by a recognized authority? I.e. Verisign
    or RSA

    3. Is the date on the certificate valid?

    If any of these three fail, your browser will give you an error
    message. Each time you connect to your site, verify that you have a
    secure connection. There are other things that you can do to further
    secure your site from being spoofed. For instance, you can add a
    reverse DNS lookup requirement so that the browser not only checks for
    the validity of the digital certificate, it also verifies that that the
    IP address of the site to which you are connecting matches the address
    registered on DNS.
Ask a new question

Read More

vpn Cisco Networking