Re: Script to distinguish between Certificate Authorities (ex. Verisign, Thawte) SSL
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 05/27/05
- Next message: David Wang [Msft]: "Re: How to "allow IIS to control anonymous user password"?"
- Previous message: Kyle Peterson: "Re: RemoveServerHeader in IIS6"
- In reply to: copulus: "Script to distinguish between Certificate Authorities (ex. Verisign, Thawte) SSL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 May 2005 12:34:21 +1000
Who told you those fields where "unreliable", and what was the reasoning
behind this?
Request.ServerVariables() collection is populated from two distinct sources:
data sent from the client, and data from the server itself. So, a field like
HTTP_Referer is populated from the HTTP Referer: header sent from the
client. Whether or not the client was actually coming from that previous
page you can't really verify - the client can send any arbitrary data it
likes.
However something like Request.ServerVariables("Local_Addr") is not
"unreliable" - this is the IP address /on the server/ where the request came
in on. So, unless the administrator of the server is running some malicious
code to confuse your ASP script (unlikely surely?), you can trust this
value.
So, if you have a look in the Request.ServerVariables collection, you will
see fields like Cert_Server_Issuer and HTTPS_Server_Issuer. These contain
details for the issuers of the server's certificate that's being used for
the current request. I'm not entirely sure why those fields would be
"unreliable" - they can't be spoofed by the client, because the data is not
derived from anything the client send to the server.
Cheers
Ken
-- Blog: www.adopenstatic.com/cs/blogs/ken/ Web: www.adopenstatic.com "copulus" <copulus[at]hotmail.com> wrote in message news:%23ZYld8gYFHA.2884@tk2msftngp13.phx.gbl... : Hi, : : I'm wondering if anyone can help me out with a problem I'm facing. : : I need to have conditional code on a web page (asp) to show who the site : authenticating Certificate Authority is. Of course the site is set up to : use SSL. : : I've examined all IIS Server Variables (Request.ServerVariables). : Unfortunately I was informed that the server variables names with a "CERT_" : prefix are unreliable to test for CA's. : : Can anyone help? : : One application of this test would be to conditionally put a Verisign or : Thawte logo on a sites log in page. : : Thanks. : : -C- : :
- Next message: David Wang [Msft]: "Re: How to "allow IIS to control anonymous user password"?"
- Previous message: Kyle Peterson: "Re: RemoveServerHeader in IIS6"
- In reply to: copulus: "Script to distinguish between Certificate Authorities (ex. Verisign, Thawte) SSL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
