This is a discussion on RE: domain check vs pubkey check - Openssl ; > Hi, a question about the SSL: > > In SSL, the server certificate is checked by the > client as to whether the server actually holds the > private key of it. This is done by client sending the ...
> Hi, a question about the SSL:
> In SSL, the server certificate is checked by the
> client as to whether the server actually holds the
> private key of it. This is done by client sending the
> session key signed by server's public key.
> So, why there is a need for a check of domain name in
> the server certificate? Shouldn't the above check be
Absolutely not. If I type "https://www.paypal.com" and I get connected to a
secure server run by some bad guys, knowing they own the certificate they
present to me isn't good enough. I need to make sure the certificate was
issued to paypal.com and signed by a certificate authority I trust.
Anyone can obtain a certificate and confirm that it is their certificate. If
the certificate is signed by a CA I trust, I then know who I am talking to.
But knowing I am talking to someone I don't trust, and still sending them my
credit card information, would be really stupid.
So it is imperative that a web browser verify that the certificate in fact
belongs to the organization the person using the web browser wants to talk
OpenSSL Project http://www.openssl.org
User Support Mailing List email@example.com
Automated List Manager firstname.lastname@example.org