[Date Prev][Date Next]
Re: insecure, convenient use of SSL
Jason Dusek wrote:
Michael StrÃder <email@example.com> wrote:
You shouldn't use SSL in such a insecure way.
I don't use SSL for anything but encryption.
There's no proper authorization without proper authentication. In the
case of SSL/TLS the encryption layer can only be securly established if
the client checks the server's identity by validating the server's cert
and checking the server's name.
Secure server identity is handled by my DNS setup.
It is very unlikely that you can sufficiently protect DNS information
unless you use signed DNS zones with DNSSEC also on the client side.
Checking the server's fully-qualified domain-name against the CN or the
subjectAltName of the server's certificate is a MUST.
Maybe you could elaborate on your particular needs.