Home page logo
/

basics logo Security Basics mailing list archives

Re: Validating SSL certificates
From: amol.dabholkar () gmail com
Date: Fri, 6 Jul 2012 06:55:26 GMT

Hi Erik
I assume that you have a standalone software that you give to your customers and which can be used offline. The 
software then is under the complete control of your untrusted customer.
In that case, I do not see how you can avoid hardcoding the root cert in your code (or a thumbprint that you can use to 
verify that the root cert on the client side trust store is the one you used to sign the client cert)
If your self signed root cert is outside of your program, the untrusted customer can easily replace it by their own 
cert chain since everything in the customer environment other than the binary executable is in the customer control.
Ofcourse, if the customer is really determined he can always crack the binary, but as a minimum safegaurd i would think 
hardcoding the root cert in the program is necessary.
regards
Amol

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]