I hope I'm on the right forum to post this question.
My setup includes a client application sending/receiving messages over HTTPS to a server. The client application is distributed to users; it is using libcurl for the HTTP calls. The server's URL to which the client app sends data to is static and I control the server. I'm using SSL certificates to encrypt the data that is sent to the server and from the server. I'm trying to prevent a third party to see the transmitted data.
I created a certificate authority and a self signed certificate. I installed the self signed certificate on the server. When I make the libcurl calls I pass in the certificate authority public key file - which is distributed with the client app.
libcurl also allows to check for the server certificate but you must provide the unencrypted key as well and I don't want that because someone might use it to decrypt all other messages to this server. Since I trust that I'm sending/receiving messages to the intended destination (my server's URL which the user cannot change), should I really check the server's certificate?
Is there any type of attack that I'm not taking into account in this setup?
Joined: 09 Jan 2006 Posts: 4 Location: Cremona (Italy)
Posted: Mon Apr 27, 2009 11:49 am Post subject: Re: SSL client-server setup
jenna wrote:
Hi,
Since I trust that I'm sending/receiving messages to the intended destination (my server's URL which the user cannot change), should I really check the server's certificate?
Is there any type of attack that I'm not taking into account in this setup?
hi,
if you can check the server's certificate is better, so the lamer can't pass the server and have the trust of the server, if a lamer have the trust of the server he/she will have the trust of the entire site.
When using SSL you are using a asymmetric encryption. Your clients require the public key and your server requires the private key. You should never distribute your private key.
Read the following Wiki for a complete understanding on the process.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum