1

I have googled and found this post: https://security.stackexchange.com/questions/46988/is-it-technically-possible-to-configure-two-different-ssl-certificates-for-the-s

If it actually is possible, then what stops me, say from getting an SSL certificate for paypal.com(or some important website), somehow get users to arrive into my website/server using this new certificate(cache poisoning, something else, doesn't matter really) and fake the website while doing nasty things like stealing data etc. etc. ?

Community
  • 1
Round Potato
  • 29
  • 1
  • 2

3 Answers3

4

SSL vendors will not sell you a certificate for PayPal.com. The entire point of Certification Authorities is to have organizations in charge of validating that you control the domain in question.

The linked question involves two different SSL certificates but both for example.com. Both certificates would require the person requesting them to demonstrate control of example.com prior to having them generated by the CA.

ceejayoz
  • 32,910
  • 7
  • 82
  • 106
  • StartSSL for example does not validate you that much. I believe validation is automated even. – Round Potato Jan 11 '15 at 02:38
  • 3
    @RoundPotato It's still **validated**. All the domain-validation certs are automatically validated, typically via a DNS record on the domain or sending to an email address like `hostmaster@example.com` or one of the ones on the WHOIS record. Go ahead, try and get one for PayPal.com at StartSSL. It won't work. – ceejayoz Jan 11 '15 at 03:13
0

Sure you can do it. You shouldn't be able to get a public CA to issue you one, unless you own the domain. However, you can used a certificate you created, and if you can get the client to trust your cert, or the CA you used, then they won't get any errors when using it. This is how some corporate proxies work so that they can scan HTTPS traffic.

E-Rock
  • 499
  • 3
  • 6
0

Technically, not practically, you can buy a certificate for paypal.com. I'll go into the practicalities later but let's assume for a moment that you did.

Then you need to install this certificate on your server. Since you don't own the paypal.com, you probably have, let's say, paypall.com, hoping your visitors won't notice the two L's.

As soon as visitors visit your site, they will be given a warning that says that the certificate doesn't match the URL. While browsers give users the ability to continue, the warning is scary looking and will stop most people from continuing.

The certificate structure is kind of like two-factor authentication:

  • WHAT YOU HAVE: The private key to the certificate
  • WHAT YOU ARE: the URL

If you don't have both, you will have errors.

Now the practicals: no respectable CA will sell you a paypal.com certificate without the proper documentation. Every CA goes through a strict verification process to ensure you own the domain and you are who you say you are. Even the free SSL tool Let's Encrypt verifies that you own the domain by either checking DNS settings or by hitting your website with their crawler.

scuba_mike
  • 376
  • 4
  • 11