Hello,
Nagareshwar Talekar wrote:
I don't know how to perform the check for 3rd step. How can we ensure
that CA is trusted? One of my colleague told that I have to store all
trusted
root certificates and then compare incoming certificate with existing
ones..
Is there any better way to check this ...?
As far as I know, that's the only way it's done. If you check the
settings of any web browser, it stores a list of trusted CA's. You can
probably use one of those lists.
Also I was told that certificate validation is done to prevent the
SSL-MITM attack
Is this the only reason or is there any other reason for which the
SSL certificate
validation is done ?
As far as I know, that's the only reason. If some malicious individual
(like Cathy) manages to get between your client and server, Cathy can
send the client her certificate and the client will happily encrypt the
data destined to Cathy, thus giving Cathy all your data.
If you check the certificate against a trusted CA, it'll tell you that
the certificate you were given isn't actually the intended server's, and
you know that an attack is going on. For a trusted SSL system, that is
a very important step to take.
It will be great if you can throw some light in this matter. Any
links to relevant
websites will do as well.
Thanks
I don't have any links, but Googling "SSL MITM" should pull up something
useful.
Hope that helps,
Ron
-------------------------------------------------------------------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional CSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------
