[erlang-questions] ssl certificate verification in httpc
Graham Hay
grahamrhay@REDACTED
Thu Jul 17 09:42:43 CEST 2014
https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
On 17 July 2014 08:08, Roger Lipscombe <roger@REDACTED> wrote:
> SSL encryption is done by the client creating a session key, and using
> the server's public key (from the server's certificate) to securely
> send it to the server. If you don't verify the server certificate, you
> have no way of knowing whether you're subject to a man-in-the-middle
> attack, where the attacker can give you a fake certificate, extract
> the session key, read/manipulate all your traffic, and then
> (optionally) send it to the real server.
>
> Encryption is only half of the story. SSL also aims to guarantee safe
> key exchange, but to do that, you need to verify the server
> certificate. This means verifying that the names match, that it's
> trusted (or issued by a trusted CA), and that it hasn't expired, been
> revoked, etc.
>
> And there's more than one way (also including DNS spoofing) to
> intercept the traffic: transparent proxies, pwned WiFi router, etc..
>
> On 15 July 2014 15:41, Camille Troillard <lists@REDACTED> wrote:
> > Hi Robert,
> >
> >> SSL essentially does two things at once: encrypts the data and checks
> if client and/or server are who they say they are. The latter is where
> certificate verification comes into play, the encryption part is always
> done and usually automatically negotiated between client and server.
> >>
> >> So, if all you are aiming for is encrypting the data travelling between
> client and server, then you don't need the ssl option. Just point your
> httpc:request at an "https://..." URL and the encryption is handled for
> you without you having to do anything more.
> >
> > I think this works only if you trust your DNS, otherwise you have to
> check that the certificate matches the host.
> > Please correct me if I’m wrong.
> >
> > Cam
> >
> >
> > _______________________________________________
> > erlang-questions mailing list
> > erlang-questions@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-questions
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140717/23ff9c33/attachment.htm>
More information about the erlang-questions
mailing list