Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: How to perform SSL certificate validation ?
From: Ron <ron () gwn ca>
Date: Mon, 10 Jul 2006 14:12:00 -0500
Hello,

Nagareshwar Talekar wrote:

 I don't know how to perform the check for 3rd step. How can we ensure
 that CA is trusted? One of my colleague told that I have to store all
trusted
 root certificates and then compare incoming certificate with existing
ones..

 Is there any better way to check this ...?

As far as I know, that's the only way it's done.  If you check the
settings of any web browser, it stores a list of trusted CA's.  You can
probably use one of those lists.



 Also I was told that certificate validation is done to prevent the
SSL-MITM attack
 Is this the only reason or is there any other reason for which the
SSL certificate
 validation is done ?

As far as I know, that's the only reason.  If some malicious individual
(like Cathy) manages to get between your client and server, Cathy can
send the client her certificate and the client will happily encrypt the
data destined to Cathy, thus giving Cathy all your data.

If you check the certificate against a trusted CA, it'll tell you that
the certificate you were given isn't actually the intended server's, and
you know that an attack is going on.  For a trusted SSL system, that is
a very important step to take.


It will be great if you can throw some light in this matter. Any
links to relevant
websites will do as well.

Thanks



I don't have any links, but Googling "SSL MITM" should pull up something
useful.


Hope that helps,

Ron

-------------------------------------------------------------------------
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how to 
secure your site against these attacks and check if your site is protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
--------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]