https - hopefully not too stupid a question
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sun Jun 17 17:24:15 BST 2012
Roland Perry wrote:
> In article <4FDDF8D7.7080108 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes
>> In practice, the client will normally do a DNS on the hostname before
>> a https connection is established. So if all the client's traffic is
>> being monitored then the monitors will usually have the hostname anyway.
>
> Hmm, if I try to access:
>
> https://65.55.25.59/windowsupdate/v6/thanks.aspx?ln=en&&thankspage=5
>
> (Where 65.55.25.59 is what my DNS translates www.update.microsoft.com into)
>
> I get:
>
> This is probably not the site you are looking for!
>
> You attempted to reach 65.55.25.59, but instead you actually reached a
> server identifying itself as www.update.microsoft.com. This may be
> caused by a misconfiguration on the server or by something more
> serious. An attacker on your network could be trying to get you to
> visit a fake (and potentially harmful) version of 65.55.25.59.
>
> Is this my browser (Chrome) not getting its act together, or is there an
> infelicity in one of the protocols?
I get (Firefox):
Secure Connection Failed
65.55.25.59 uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The certificate is only valid for www.update.microsoft.com.
(Error code: sec_error_unknown_issuer)
I think the browsers are looking to check the hostname in the requested
URL matches the hostname in the certificate - and it doesn't,
65.55.25.59 != www.update.microsoft.com
Both actions seem like perfectly good behaviour to me.
-- Peter Fairbrother
More information about the ukcrypto
mailing list