Re: Script to distinguish between Certificate Authorities (ex. Verisign, Thawte) SSL

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 05/27/05


Date: Fri, 27 May 2005 12:34:21 +1000

Who told you those fields where "unreliable", and what was the reasoning
behind this?

Request.ServerVariables() collection is populated from two distinct sources:
data sent from the client, and data from the server itself. So, a field like
HTTP_Referer is populated from the HTTP Referer: header sent from the
client. Whether or not the client was actually coming from that previous
page you can't really verify - the client can send any arbitrary data it
likes.

However something like Request.ServerVariables("Local_Addr") is not
"unreliable" - this is the IP address /on the server/ where the request came
in on. So, unless the administrator of the server is running some malicious
code to confuse your ASP script (unlikely surely?), you can trust this
value.

So, if you have a look in the Request.ServerVariables collection, you will
see fields like Cert_Server_Issuer and HTTPS_Server_Issuer. These contain
details for the issuers of the server's certificate that's being used for
the current request. I'm not entirely sure why those fields would be
"unreliable" - they can't be spoofed by the client, because the data is not
derived from anything the client send to the server.

Cheers
Ken

-- 
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"copulus" <copulus[at]hotmail.com> wrote in message 
news:%23ZYld8gYFHA.2884@tk2msftngp13.phx.gbl...
: Hi,
:
: I'm wondering if anyone can help me out with a problem I'm facing.
:
: I need to have conditional code on a web page (asp) to show who the site
: authenticating Certificate Authority is.  Of course the site is set up to
: use SSL.
:
: I've examined all IIS Server Variables (Request.ServerVariables).
: Unfortunately I was informed that the server variables names with a 
"CERT_"
: prefix are unreliable to test for CA's.
:
: Can anyone help?
:
: One application of this test would be to conditionally put a Verisign or
: Thawte logo on a sites log in page.
:
: Thanks.
:
: -C-
:
: 


Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Re: More Get-IPlayer Questions
    ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
    (uk.comp.os.linux)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)