Security Basics mailing list archives
Re: Validating SSL certificates
From: amol.dabholkar () gmail com
Date: Fri, 6 Jul 2012 06:55:26 GMT
Hi Erik I assume that you have a standalone software that you give to your customers and which can be used offline. The software then is under the complete control of your untrusted customer. In that case, I do not see how you can avoid hardcoding the root cert in your code (or a thumbprint that you can use to verify that the root cert on the client side trust store is the one you used to sign the client cert) If your self signed root cert is outside of your program, the untrusted customer can easily replace it by their own cert chain since everything in the customer environment other than the binary executable is in the customer control. Ofcourse, if the customer is really determined he can always crack the binary, but as a minimum safegaurd i would think hardcoding the root cert in the program is necessary. regards Amol ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Validating SSL certificates Erki Männiste (Jul 04)
- RE: Validating SSL certificates William Madell (Jul 05)
- <Possible follow-ups>
- RE: Validating SSL certificates Erki Männiste (Jul 04)
- Re: Validating SSL certificates amol . dabholkar (Jul 06)