BC
Hi everybody,
I am building a HTTPS web application for our own staff to access the
company's web server through the Internet. The web server is running IIS
5.0 on a W2K box. The web server is installed with a server certificate,
and the user's browser needs a client certificate to be authenticated by the
server. The HTTPS web server is configured with Many-to-one mapping
specifying that a certificate meets certain criteria (for instance, a
specific Certificate Authority - CA - issued by our own Microsoft
certificate server). My question is whether an authorized person can use a
pseudo Proxy server or other tools to fake a web page message containing the
HTTP header of a valid client certificate. Will the web server be able to
tell whether the challenged browser does not contain the valid client
certificate, when the challenge message is being sent back to that fake web
page.
Thanks a lot.
BC
I am building a HTTPS web application for our own staff to access the
company's web server through the Internet. The web server is running IIS
5.0 on a W2K box. The web server is installed with a server certificate,
and the user's browser needs a client certificate to be authenticated by the
server. The HTTPS web server is configured with Many-to-one mapping
specifying that a certificate meets certain criteria (for instance, a
specific Certificate Authority - CA - issued by our own Microsoft
certificate server). My question is whether an authorized person can use a
pseudo Proxy server or other tools to fake a web page message containing the
HTTP header of a valid client certificate. Will the web server be able to
tell whether the challenged browser does not contain the valid client
certificate, when the challenge message is being sent back to that fake web
page.
Thanks a lot.
BC