WebApp Sec mailing list archives

Re: How to perform SSL certificate validation ?

From: Ron <ron () gwn ca>
Date: Mon, 10 Jul 2006 14:12:00 -0500

Hello,

Nagareshwar Talekar wrote:

 I don't know how to perform the check for 3rd step. How can we ensure
 that CA is trusted? One of my colleague told that I have to store all
trusted
 root certificates and then compare incoming certificate with existing
ones..

 Is there any better way to check this ...?

As far as I know, that's the only way it's done.  If you check the
settings of any web browser, it stores a list of trusted CA's.  You can
probably use one of those lists.


 Also I was told that certificate validation is done to prevent the
SSL-MITM attack
 Is this the only reason or is there any other reason for which the
SSL certificate
 validation is done ?

As far as I know, that's the only reason.  If some malicious individual
(like Cathy) manages to get between your client and server, Cathy can
send the client her certificate and the client will happily encrypt the
data destined to Cathy, thus giving Cathy all your data.

If you check the certificate against a trusted CA, it'll tell you that
the certificate you were given isn't actually the intended server's, and
you know that an attack is going on.  For a trusted SSL system, that is
a very important step to take.

It will be great if you can throw some light in this matter. Any
links to relevant
websites will do as well.

Thanks


I don't have any links, but Googling "SSL MITM" should pull up something
useful.


Hope that helps,

Ron

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------

Current thread:

How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 10)
- Re: How to perform SSL certificate validation ? Ron (Jul 10)
- RE: How to perform SSL certificate validation ? Dominick Baier (Jul 10)
- Re: How to perform SSL certificate validation ? Max (Jul 12)
  - Re: How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 13)
- <Possible follow-ups>
- How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 10)
- RE: How to perform SSL certificate validation ? Wall, Kevin (Jul 11)
  - Re: How to perform SSL certificate validation ? Nagareshwar Talekar (Jul 11)
    - Message not available
    - Fwd: How to perform SSL certificate validation ? Mugdha Bendre (Jul 11)
    - Re: Fwd: How to perform SSL certificate validation ? Devdas Bhagat (Jul 30)
- Re: How to perform SSL certificate validation ? paseidon76 (Jul 15)
  - Re: How to perform SSL certificate validation ? Jason (Jul 15)