News  [SoftwareSite

Latest News
Older News
RSS Feed
 
Complete Projects
Useful Classes
Top Downloads
Message Board
AllAPI.net
 
Send Comments
Software License
Mentalis.org Buttons
Donate
 
Forums -> Security Library Forum
 
Mutual Authentication, MITM attacks, etc.  
by Angel Todorov [atodorov at acm dot org]
posted on 2003/11/07

I have the following question: in order to avoid Man in the middle attacks, i am using the MutualAuthentication property on the SecurityFlags, regarding the SecureSocket. I would like to know if there is a way to check if the server (in the case a DB server) accepted the client's certificate or not. In my case, i import a PFX file from file, then associate it with the secure socket. The operations , when the appl. is executed, proceed as normally. Is there an explicit way in which i can see how the authentication regarding client authenticating to a server proceeds? The other part, the client verifying the credentials of the server is clear to me.

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2003/11/07

MutualAuthentication is not required to foil a man in the middle attack. The only requirement to avoid men in the middle is that the client can verify the certificate of the server. Mutual authentication should be used if the server doesn't allow anonymous connections [this makes sense when connecting to a database].

If the server rejects the client certificate, it closes the connection [and optionally sends an alert message first]. So if you can send data over the connection, you can rest assured that the server has accepted your certificate. There is currently no other way to verify whether the server has a problem with your certificate.

 

Copyright © 2002-2007, The Mentalis.org Team. All rights reserved.
This site is located at http://www.mentalis.org/
Send comments to the webmaster.