https - hopefully not too stupid a question
zenadsl6186 at zen.co.uk
Sun Jun 17 17:24:15 BST 2012
Roland Perry wrote:
> In article <4FDDF8D7.7080108 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes
>> In practice, the client will normally do a DNS on the hostname before
>> a https connection is established. So if all the client's traffic is
>> being monitored then the monitors will usually have the hostname anyway.
> Hmm, if I try to access:
> (Where 220.127.116.11 is what my DNS translates www.update.microsoft.com into)
> I get:
> This is probably not the site you are looking for!
> You attempted to reach 18.104.22.168, but instead you actually reached a
> server identifying itself as www.update.microsoft.com. This may be
> caused by a misconfiguration on the server or by something more
> serious. An attacker on your network could be trying to get you to
> visit a fake (and potentially harmful) version of 22.214.171.124.
> Is this my browser (Chrome) not getting its act together, or is there an
> infelicity in one of the protocols?
I get (Firefox):
Secure Connection Failed
126.96.36.199 uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The certificate is only valid for www.update.microsoft.com.
(Error code: sec_error_unknown_issuer)
I think the browsers are looking to check the hostname in the requested
URL matches the hostname in the certificate - and it doesn't,
188.8.131.52 != www.update.microsoft.com
Both actions seem like perfectly good behaviour to me.
-- Peter Fairbrother
More information about the ukcrypto