Reputation: 25346
Verifying A Server's Identity
What is the best means to verify that a server is who it says it is.
I'm guessing using signed SSL certs is the best route, but was wondering if there was any programmatic means to do this..
EDIT: This is for a an app where servers deal with other servers (authenticating each other) in order to exchange user info. (sorry if I forgot to mention that)
Upvotes: 0
Views: 176
Answers (3)
Reputation: 559
You don't need certificates to prove your identity (or a server's for that case) to someone. You can use pre-shared keys for that purpose, and avoid any public key infrastructure. The TLS (or SSL) protocol supports that. Find a TLS library that allows you to use TLS-PSK and use it.
Upvotes: 1
Reputation: 25269
I'd recommend HMAC or RSA. HMAC is pretty secure and much easier to implement. HMAC could get unwieldy if you have 5 servers that all need to communicate with each other directly.
What are you trying to secure? It sounds like a web application, and if it is one, then you should go with SSL certs.
Upvotes: 0
Reputation: 239300
SSL certificates signed by an authorized CA (certificate authority) is the only way to be sure. Anything else can be faked, and especially any "programmatic means" would be particularly unreliable. Short and simple: an authorized SSL cert is the only thing a browser will recognize as reliable, regardless.
Upvotes: 1
Related Questions
- Verify Incoming SSL Using OpenSSL S_Server
- Verify a PEM certificate against an issued server
- Verify user identity on my site, using SSL Certificates
- Verifying a certificate
- Verify a server certificate using a file of certain format
- verify server certificate against self-signed certificate authority
- SSL Certificate Authentication
- Verify that a certificate belongs to a given user
- verify if server certificate matches with root CA certificate
- How SSL can be used to ensure the server identity?