1

If a page is served to me via HTTPS and the certificate is OK, I know that the page is authentic.

What if I save the page? Can I check later if that page is authentic?

Anders
  • 64,406
  • 24
  • 178
  • 215
Guest
  • 11
  • 1
  • What do you mean by saving? Downloading the document? – Arminius Dec 13 '16 at 00:39
  • Yes. Think about a PDF file instead. If I download a PDF via HTTPS, can I prove someone else later that that PDF came from a trustworthy server? – Guest Dec 13 '16 at 01:28
  • If the PDF is (correctly) signed you can prove it came originally from the signer, but you may have received it from a different website, or via means that don't involve any website. Similar: http://security.stackexchange.com/questions/143375/how-to-prove-some-server-sent-some-file-over-https – dave_thompson_085 Dec 13 '16 at 08:44
  • In theory, this can be done by saving the [browser's key log](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format) and the pcap of the browser's connection with the server. Validation is done by using the pcap and the keylog to validate the key exchange. In practice, this is rather impractical. – Lie Ryan Dec 13 '16 at 10:26

1 Answers1

-1

There is no technical way you can know that the page is authentic other than having to reload it, i.e contacting the server again and validating its certificate. And that's by design, because otherwise it would kill the purpose.

Think about it, if there was such a way then it would be easy to copy another page's "authenticity" and apply it to fraudulent pages.

NA AE
  • 188
  • 3
  • 1
    I was not clear. I want to know if HTTPS signs the content or it just is used in order to establish a secure connection. – Guest Dec 13 '16 at 01:26
  • 1
    It's a Transport protocol and can only be helpful as far as transport is concerned. It authenticate the client and the server and ensures the message integrity as it is transmitted between the server and the client but cannot go further from that. Once the client receives the data, you are on your won. [This](https://hpbn.co/transport-layer-security-tls/) is a good explanation of the protocol. – NA AE Dec 13 '16 at 01:57
  • 1
    [Lie Ryan's comment to the question](https://security.stackexchange.com/questions/145158/is-there-a-way-to-check-later-if-a-saved-page-originally-served-via-https-is-leg#comment273061_145158) seems to imply that this answer is wrong: *"In theory, this can be done by saving the [browser's key log](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format) and the pcap of the browser's connection with the server. Validation is done by using the pcap and the keylog to validate the key exchange. In practice, this is rather impractical."* – user Dec 13 '16 at 15:26
  • You would NOT be able to "copy" another page's authenticity, because the way pages are proven valid is by signing them with the private key. You can verify this or not at any time, provided that you saved the signature, but you cannot just reattach it to another page. – Paul Dec 15 '16 at 14:46