Re: Can a Browser's Certificate Verify Its Identity?

From: Felix Tiede (tiede_at_pc-tiede.de)
Date: 03/27/05

• Next message: Galen: "Re: Can dialer viruses turn on the computer?"
• Previous message: Martin, VK2UMJ: "Re: Can dialer viruses turn on the computer?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 27 Mar 2005 14:18:04 +0200

smai wrote:
> You are correct. I was hoping that the certificate would identify the
> browser vendor and version, and that it could be relied upon to be
> true. That way, I can verify that those browsers do not cache pages
> that I don't want to be cached, and I can restrict access to only those
> browsers.
>
>
> Regarding the question of a client-less VPN... I am not looking to
> build a clientless VPN. I am looking to build a web application that
> allows employees to check sensitive corporate information from a remote
> location through a web browser. I want to be sure that the information
> is not cached on the remote computer. MSIE will obey the no-cache HTTP
> headers; therefore, I would like to validate that the user is browsing
> the site from that MSIE browser.
>
> Finally, I agree with the previous poster that I should not trust the
> user-agent string in the HTTP header through non-secure communication.
> However, can I trust it when it is secure (HTTPS/SSL)? If not, is that
> information available to be read from the browser's certificate?
>

No. SSL-Client-Certificates (which you can/should use to authenticate the
client) are not bound to any browser. The client can use it with any browser
which supports client-certificates.

Yes, the HTTP-Request (and the UA-string) will be transferred encrypted to
your server but that does not ensure that it wasn't faked before it was
encrypted.

HTH, regards
Felix

• Next message: Galen: "Re: Can dialer viruses turn on the computer?"
• Previous message: Martin, VK2UMJ: "Re: Can dialer viruses turn on the computer?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How to starthandshake with client browser?? ... >> And then what should i do to handshake with browser? ... > getting the browser to trust your certificate. ... 1-Open an SSL server Socket ... 2-Wait for a connection (from your client web browser). ... (comp.lang.java.programmer) Re: Attempt to de-mystify AJAX ... > conviction when we know the client is leading ... > code into the browser that it's now just as thick as anything people ... > 1) IT used to think BUI development was easy. ... > 2) Therefore IT people advocated thin client. ... (comp.databases.pick) Re: Music and Arts website question ... I find that if I use my browser to select a secure page at the ... However, the security certificate ... When you access to a website that uses SSL, ... decide whether to trust that the server is who it claims to be. ... (rec.music.classical.recordings) RE: OWA, IIS and SSL ... certificate on to an external workstation that has IE ... >I've come across another error on the client side. ... >select browser type, which does NOT include IE5.5 or 6, ... >>>When a client computer that is running Microsoft ... (microsoft.public.inetserver.iis.security) RE: OWA, IIS and SSL ... I've come across another error on the client side. ... select browser type, which does NOT include IE5.5 or 6, ... appears before the Certificate Enrollment Form box appears. ... >error that https was required so I presume my server side ... (microsoft.public.inetserver.iis.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint