Chase Douglas wrote: > I am developing an iPhone app that will incorporate SSL for encryption > of network communication. The encrypted connection will be between > average users and their home servers. Most of the time I envision > people having SSL certificates that cannot be validated with the > default iPhone root certificates. When this occurs, I would like to > show a screen with information from the certificate so people can > manually verify that it matches the certificate of their home server. > > Given the screen real estate of a mobile device, what information > would you present to the user, and what would you leave out? I am > thinking of presenting just the issuer, subject, validity time frame, > and signature, leaving out things like serial number, signature and > key algorithms, and the public key itself. Is this reasonable?
Others might disagree, but IMO, if you don't check the public key or a hash of the certificate, and the certificate isn't issued by a CA, no matter what you do, all you will get is 100% protection from passive interception and 0% active interception. Displaying the issuer, subject, validity time frame, algorithms, and the like does nothing but give the user a warm, fuzzy feeling. It in no way increases security. You can certainly still display it, because warm, fuzzy feelings are nice. If you want protection against active interception, you must validate the public key, certificate signature, or have a certificate issued by a trusted CA. You need do nothing but use SSL to protect against passive interception. You can do with SSH does. If you can cache the server name along with a secure hash of the public key, you can at least prevent someone from an active attack on a server you have previously used. That way, even for complete security, you need only compare the key thumbprints once, which you can do while you install the server on your home computer. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
