Re: Fwd: How to perform SSL certificate validation ?

[Devdas Bhagat <devdas () dvb homelinux org>]

On 11/07/06 15:58 -0700, Mugdha Bendre wrote:
> On 7/11/06, Nagareshwar Talekar <tnagareshwar () gmail com > wrote:
> > Hi List,
> >
> >      Thank you for the information. It was very useful especially the
> > BIG detailed mail
> > by Kevin. I think it can make up a  good article on ssl validation
> > process..( as there is not much info on this currently on net )
> >
> >   I forgot to mention that I am implementing it in C/C++ on windows 
> >   platform.
> >
> >   I read one of the ssl_mitm pdf and tried to create a self signed
> > certificate using SSL as mentioned in it. To my surprise I found that
> > user can specify all the parameters while creating the certificate and
> > hence attacker can create fully valid certificate.....which can defeat
> > the major checks such as
>
>
> That's why a self signed certificate is not considered secure, and you
> *should* verify the certificate is signed by a trusted CA. Just

Where a trusted CA certificate is obtained by some means *other* than
downloading it off the network. Alternatively, downloading the
certificate from the network and verifying the fingerprint out-of-band
should work too.

Remember that self signed certificates *are* secure, as long as you have
a chain to them. A completely unverified certificate isn't trustable but
works fine for certain purposes (where you merely want the channel to
be encrypted).

Devdas Bhagat

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan 6.5 is now available! New features for Web Services Testing, 
Advanced Automated Capabilities for Penetration Testers, PCI Compliance 
Reporting, Token Analysis, Authentication testing, Automated JavaScript 
execution and much more. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------