On 11/07/06 15:58 -0700, Mugdha Bendre wrote:
On 7/11/06, Nagareshwar Talekar <tnagareshwar@gmail.com > wrote:
Hi List,
Thank you for the information. It was very useful especially the
BIG detailed mail
by Kevin. I think it can make up a good article on ssl validation
process..( as there is not much info on this currently on net )
I forgot to mention that I am implementing it in C/C++ on windows
platform.
I read one of the ssl_mitm pdf and tried to create a self signed
certificate using SSL as mentioned in it. To my surprise I found that
user can specify all the parameters while creating the certificate and
hence attacker can create fully valid certificate.....which can defeat
the major checks such as
That's why a self signed certificate is not considered secure, and you
*should* verify the certificate is signed by a trusted CA. Just
Where a trusted CA certificate is obtained by some means *other* than
downloading it off the network. Alternatively, downloading the
certificate from the network and verifying the fingerprint out-of-band
should work too.
Remember that self signed certificates *are* secure, as long as you have
a chain to them. A completely unverified certificate isn't trustable but
works fine for certain purposes (where you merely want the channel to
be encrypted).
Devdas Bhagat
-------------------------------------------------------------------------
Sponsored by: Watchfire
AppScan 6.5 is now available! New features for Web Services Testing,
Advanced Automated Capabilities for Penetration Testers, PCI Compliance
Reporting, Token Analysis, Authentication testing, Automated JavaScript
execution and much more.
Download a Free Trial of AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------
