I don't say it's impossible to forgery a certificate. But I refered to the stored certificates (that should be valid). The problem is when a CA signs a invalid certificate - I didn't assume that.
If's a big Problem, that you don't have the control whether a CA signs a certificate for your domain not submitted by you. Therefore the described scenario is possible. The only secure way to detect this is to check the certificate (particularly the fingerprint) each time. But this must be performed by the user. I think nobody does this. If you need high security you can buy a certificate with extended validation. Most browsers display special indicators for this kind of certificates. Then it's on the user to notice if such an indicater is not there (if it has been before). On Dec 19, 11:14 am, UseTheFork <[email protected]> wrote: > On Dec 16, 9:15 am, Basdl <[email protected]> wrote: > > > Concerning your conclusion, that root certificates stored in browsers > > where no pre-established secrets, I have a notice: > > The certificates itself where public but the server knows the > > corresponding secret key. > > So he can sign something and the client can validate that the signed > > content has not been manipulated. > > For the records, because people will read this thread: > > What if Mallory is in the middle? Your claim is not valid if Mallory > can fiddle with the communication in between. Mallory can substitute a > false valid public certificate. > > > This is used in SSL to ensure a secure handshake. > > Therefore, it is an advantage over self implemented protocols. > > That is the point why Diffie-Hellman should be safe using SSL but not > > when implemented in JS. > > Thanks to all for this conversation. I think this has been very > valuable in clarifying the situation. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
