• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

SSL client-server setup

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More

View previous topic :: View next topic  
Author Message
jenna
Just Arrived
Just Arrived


Joined: 02 Apr 2009
Posts: 0


Offline

PostPosted: Thu Apr 02, 2009 11:56 pm    Post subject: SSL client-server setup Reply with quote

Hi,

I hope I'm on the right forum to post this question.

My setup includes a client application sending/receiving messages over HTTPS to a server. The client application is distributed to users; it is using libcurl for the HTTP calls. The server's URL to which the client app sends data to is static and I control the server. I'm using SSL certificates to encrypt the data that is sent to the server and from the server. I'm trying to prevent a third party to see the transmitted data.

I created a certificate authority and a self signed certificate. I installed the self signed certificate on the server. When I make the libcurl calls I pass in the certificate authority public key file - which is distributed with the client app.

libcurl also allows to check for the server certificate but you must provide the unencrypted key as well and I don't want that because someone might use it to decrypt all other messages to this server. Since I trust that I'm sending/receiving messages to the intended destination (my server's URL which the user cannot change), should I really check the server's certificate?

Is there any type of attack that I'm not taking into account in this setup?

Thanks,
J
Back to top
View user's profile Send private message
heba
Just Arrived
Just Arrived


Joined: 09 Jan 2006
Posts: 4
Location: Cremona (Italy)

Offline

PostPosted: Mon Apr 27, 2009 11:49 am    Post subject: Re: SSL client-server setup Reply with quote

jenna wrote:
Hi,

Since I trust that I'm sending/receiving messages to the intended destination (my server's URL which the user cannot change), should I really check the server's certificate?

Is there any type of attack that I'm not taking into account in this setup?


hi,
if you can check the server's certificate is better, so the lamer can't pass the server and have the trust of the server, if a lamer have the trust of the server he/she will have the trust of the entire site.
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Mon Apr 27, 2009 12:39 pm    Post subject: Reply with quote

jenna,

When using SSL you are using a asymmetric encryption. Your clients require the public key and your server requires the private key. You should never distribute your private key.

Read the following Wiki for a complete understanding on the process.

http://en.wikipedia.org/wiki/Transport_Layer_Security

Matt_s
Back to top
View user's profile Send private message
heba
Just Arrived
Just Arrived


Joined: 09 Jan 2006
Posts: 4
Location: Cremona (Italy)

Offline

PostPosted: Mon Apr 27, 2009 1:21 pm    Post subject: Reply with quote

matt_s wrote:
jenna,


Read the following Wiki for a complete understanding on the process.

http://en.wikipedia.org/wiki/Transport_Layer_Security

Matt_s


I think jenna asked other thing...Wink
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Programming and More All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register