[erlang-questions] ssl certificate verification in httpc

[Roger Lipscombe]

SSL encryption is done by the client creating a session key, and using
the server's public key (from the server's certificate) to securely
send it to the server. If you don't verify the server certificate, you
have no way of knowing whether you're subject to a man-in-the-middle
attack, where the attacker can give you a fake certificate, extract
the session key, read/manipulate all your traffic, and then
(optionally) send it to the real server.

Encryption is only half of the story. SSL also aims to guarantee safe
key exchange, but to do that, you need to verify the server
certificate. This means verifying that the names match, that it's
trusted (or issued by a trusted CA), and that it hasn't expired, been
revoked, etc.

And there's more than one way (also including DNS spoofing) to
intercept the traffic: transparent proxies, pwned WiFi router, etc..

On 15 July 2014 15:41, Camille Troillard <lists@REDACTED> wrote:
> Hi Robert,
>
>> SSL essentially does two things at once: encrypts the data and checks if client and/or server are who they say they are. The latter is where certificate verification comes into play, the encryption part is always done and usually automatically negotiated between client and server.
>>
>> So, if all you are aiming for is encrypting the data travelling between client and server, then you don't need the ssl option. Just point your httpc:request at an "https://..." URL and the encryption is handled for you without you having to do anything more.
>
> I think this works only if you trust your DNS, otherwise you have to check that the certificate matches the host.
> Please correct me if I’m wrong.
>
> Cam
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions