I hope I'm on the right forum to post this question.
My setup includes a client application sending/receiving messages over HTTPS to a server. The client application is distributed to users; it is using libcurl for the HTTP calls. The server's URL to which the client app sends data to is static and I control the server. I'm using SSL certificates to encrypt the data that is sent to the server and from the server. I'm trying to prevent a third party to see the transmitted data.
I created a certificate authority and a self signed certificate. I installed the self signed certificate on the server. When I make the libcurl calls I pass in the certificate authority public key file - which is distributed with the client app.
libcurl also allows to check for the server certificate but you must provide the unencrypted key as well and I don't want that because someone might use it to decrypt all other messages to this server. Since I trust that I'm sending/receiving messages to the intended destination (my server's URL which the user cannot change), should I really check the server's certificate?
Is there any type of attack that I'm not taking into account in this setup?
Joined: 09 Jan 2006 Posts: 4 Location: Cremona (Italy)
Posted: Mon Apr 27, 2009 11:49 am Post subject: Re: SSL client-server setup
jenna wrote:
Hi,
Since I trust that I'm sending/receiving messages to the intended destination (my server's URL which the user cannot change), should I really check the server's certificate?
Is there any type of attack that I'm not taking into account in this setup?
hi,
if you can check the server's certificate is better, so the lamer can't pass the server and have the trust of the server, if a lamer have the trust of the server he/she will have the trust of the entire site.
When using SSL you are using a asymmetric encryption. Your clients require the public key and your server requires the private key. You should never distribute your private key.
Read the following Wiki for a complete understanding on the process.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Featured Links*
Looking for more Windows Networking info?
Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing! View a sample newsletter.
Become a WindowsNetworking.com member!
Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!