Groups | Blog | Home
all groups > iis security > may 2005 >

iis security : Script to distinguish between Certificate Authorities (ex. Verisign, Thawte) SSL


Ken Schaefer
5/26/2005 12:00:00 AM
Who told you those fields where "unreliable", and what was the reasoning
behind this?

Request.ServerVariables() collection is populated from two distinct sources:
data sent from the client, and data from the server itself. So, a field like
HTTP_Referer is populated from the HTTP Referer: header sent from the
client. Whether or not the client was actually coming from that previous
page you can't really verify - the client can send any arbitrary data it
likes.

However something like Request.ServerVariables("Local_Addr") is not
"unreliable" - this is the IP address /on the server/ where the request came
in on. So, unless the administrator of the server is running some malicious
code to confuse your ASP script (unlikely surely?), you can trust this
value.

So, if you have a look in the Request.ServerVariables collection, you will
see fields like Cert_Server_Issuer and HTTPS_Server_Issuer. These contain
details for the issuers of the server's certificate that's being used for
the current request. I'm not entirely sure why those fields would be
"unreliable" - they can't be spoofed by the client, because the data is not
derived from anything the client send to the server.

Cheers
Ken

--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


[quoted text, click to view]
: Hi,
:
: I'm wondering if anyone can help me out with a problem I'm facing.
:
: I need to have conditional code on a web page (asp) to show who the site
: authenticating Certificate Authority is. Of course the site is set up to
: use SSL.
:
: I've examined all IIS Server Variables (Request.ServerVariables).
: Unfortunately I was informed that the server variables names with a
"CERT_"
: prefix are unreliable to test for CA's.
:
: Can anyone help?
:
: One application of this test would be to conditionally put a Verisign or
: Thawte logo on a sites log in page.
:
: Thanks.
:
: -C-
:
:

copulus
5/26/2005 12:22:10 PM
Hi,

I'm wondering if anyone can help me out with a problem I'm facing.

I need to have conditional code on a web page (asp) to show who the site
authenticating Certificate Authority is. Of course the site is set up to
use SSL.

I've examined all IIS Server Variables (Request.ServerVariables).
Unfortunately I was informed that the server variables names with a "CERT_"
prefix are unreliable to test for CA's.

Can anyone help?

One application of this test would be to conditionally put a Verisign or
Thawte logo on a sites log in page.

Thanks.

-C-

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about iis security
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn