Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to perform SSL certificate validation ?

from [Nagareshwar Talekar] Network Security [Permanent Link]
Subject: Re: How to perform SSL certificate validation ?
Date: Tue, 11 Jul 2006 22:42:53 +0530 
Hi List,

     Thank you for the information. It was very useful especially the
BIG detailed mail
by Kevin. I think it can make up a  good article on ssl validation
process..( as there is not much info on this currently on net )

  I forgot to mention that I am implementing it in C/C++ on windows platform.

  I read one of the ssl_mitm pdf and tried to create a self signed
certificate using SSL as mentioned in it. To my surprise I found that
user can specify all the parameters while creating the certificate and
hence attacker can create fully valid certificate.....which can defeat
the major checks such as

1) Date validation
2) Hostname checks
3) Even one can put trusted CA's name (Verisign Inc etc).which can
   make it to believe that this is from trusted authority.

I think these are the major checks done by browser such as IE ,
firefox etc....!!!
( One can make out from the dialogs shown by these browsers )

Am I into wrong conclusions? Any comments ?


Also I have got simple idea of checking for trusted certificate ( since
we don't want to cache the trusted root certificates as browsers do )
Here it is
1) During first time connection with server , if its certificate is valid
( i.e date is valid and hostname matches ) then it will be added to the local
cache.

2) During next connection with that server, incoming certificate will be checked
against the cached certificate ( in addition to date check) , if its not same
then that means the certificate is not trusted..

It looks simple and straight forward. Do you see any flaw in this
implementation ??


Thanks for your time..!

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. This whitepaper will discuss how traditional CSS attacks are performed, how to secure your site against these attacks and check if your site is protected. Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Oracle SQL Injection, Mark Keegan
Next by Date:  Re: Oracle SQL Injection, Tim
Previous by Thread:  RE: How to perform SSL certificate validation ?, Wall, Kevin
Next by Thread:  Fwd: How to perform SSL certificate validation ?, Mugdha Bendre
Indexes:  [Date] [Thread] [Top] [All Lists]