All geek questions in one place

Can a man-in-the-middle attack be prevented by using self-signed certificates?

I'm not sure that a similar question was asked before (I could not find it), but is it possible to protect Client / Server from a Man-In-The-Middle attack?

I am writing a client application to communicate with the server. Communication will be based on SSLv3. I'm fine with self-signed certificate servers, but I worry that someone else generates the same self-signed certificate in the same server name and pretends to be. My Client application uses the OpenSSL library. [Client and server are cost-based, if that matters]. Can I avoid this attack while still supporting self-signed certificates?

+6
source share
3 answers

Yes.

In short, a self-signed certificate is more insecure than a CA certificate only if the client does not know the certificate in advance and therefore does not have the right to verify whether the server is who it is.

If you add a self-signed certificate to a client and do not accept any other certificate, you are actually protected (or, one might say, all the more) than having a certificate certificate signed by a certificate.

Important components for securing SSL with or without a certification authority are:

  • The serverโ€™s private key (and in the case of CA, the private keys of all its roots) is kept secret.
  • The client knows the server certificate (or its root CA).
+12
source

You can hard-code the server certificate and compare it with what you get.

Or better yet, create a CA certificate and a server certificate signed by the CA. Ask the CA to trust the client (again, hard-coded it in its application) and confirm the received server certificate with the CA certificate.

+4
source

If you can protect your private keys well enough, the intermediary will not be able to masquerade you, believing that the user is really looking at the certificate. The problem with self-subscription is that if you want the user to add an exception to their browser or simply ignore the warning, then you are subjected to a man in the middle attack because someone else can create their own certificate.

Of course, โ€œprotecting your private keys is good enoughโ€ is not at all trivial. When you pay for a Verisign certificate, you do not pay for your software that creates the certificate โ€” you pay for the security forces that guard the building where the private keys are stored.

+1
source

Source: https://habr.com/ru/post/921693/

More articles:


All Articles