This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes Security and the fly likes SSL without Server Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "SSL without Server Authentication" Watch "SSL without Server Authentication" New topic

SSL without Server Authentication

suekar meredilko
Ranch Hand

Joined: Mar 27, 2006
Posts: 153
What is the issue if SSL is used without Server Authentication ?
I know server auth means that one is not sure if you are talking to the correct host and no means of verifying it. But will SSL session still be an encrypted one ?
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
Encryption (via SSL) and authentication are two different concepts. One can be used with or without the other.
suekar meredilko
Ranch Hand

Joined: Mar 27, 2006
Posts: 153
So so my understanding is right..

SSL without authentication (Server or Client) will still be able to encrypt the session using PKI.

This also means that if data is encrypted but authentication is not in place, there is a risk that my client app can be a target of man in the middle attack.

I agree. Here's the link:
subject: SSL without Server Authentication
It's not a secret anymore!