WebApp Sec mailing list archives
Re: How to perform SSL certificate validation ?
From: Ron <ron () gwn ca>
Date: Mon, 10 Jul 2006 14:12:00 -0500
Hello, Nagareshwar Talekar wrote:
I don't know how to perform the check for 3rd step. How can we ensure that CA is trusted? One of my colleague told that I have to store all trusted root certificates and then compare incoming certificate with existing ones.. Is there any better way to check this ...?
As far as I know, that's the only way it's done. If you check the settings of any web browser, it stores a list of trusted CA's. You can probably use one of those lists.
Also I was told that certificate validation is done to prevent the SSL-MITM attack Is this the only reason or is there any other reason for which the SSL certificate validation is done ?
As far as I know, that's the only reason. If some malicious individual (like Cathy) manages to get between your client and server, Cathy can send the client her certificate and the client will happily encrypt the data destined to Cathy, thus giving Cathy all your data. If you check the certificate against a trusted CA, it'll tell you that the certificate you were given isn't actually the intended server's, and you know that an attack is going on. For a trusted SSL system, that is a very important step to take.
It will be great if you can throw some light in this matter. Any links to relevant websites will do as well. Thanks
I don't have any links, but Googling "SSL MITM" should pull up something useful. Hope that helps, Ron ------------------------------------------------------------------------- Sponsored by: Watchfire Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr --------------------------------------------------------------------------
Current thread:
- How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 10)
- Re: How to perform SSL certificate validation ? Ron (Jul 10)
- RE: How to perform SSL certificate validation ? Dominick Baier (Jul 10)
- Re: How to perform SSL certificate validation ? Max (Jul 12)
- Re: How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 13)
- <Possible follow-ups>
- How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 10)
- RE: How to perform SSL certificate validation ? Wall, Kevin (Jul 11)
- Re: How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 11)
- Message not available
- Fwd: How to perform SSL certificate validation ? Mugdha Bendre (Jul 11)
- Re: Fwd: How to perform SSL certificate validation ? Devdas Bhagat (Jul 30)
- Re: How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 11)
- Re: How to perform SSL certificate validation ? Jason (Jul 15)