aspose file tools*
The moose likes Security and the fly likes SSL without Server Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "SSL without Server Authentication" Watch "SSL without Server Authentication" New topic
Author

SSL without Server Authentication

suekar meredilko
Ranch Hand

Joined: Mar 27, 2006
Posts: 153
What is the issue if SSL is used without Server Authentication ?
I know server auth means that one is not sure if you are talking to the correct host and no means of verifying it. But will SSL session still be an encrypted one ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42278
    
  64
Encryption (via SSL) and authentication are two different concepts. One can be used with or without the other.


Ping & DNS - my free Android networking tools app
suekar meredilko
Ranch Hand

Joined: Mar 27, 2006
Posts: 153
So so my understanding is right..

SSL without authentication (Server or Client) will still be able to encrypt the session using PKI.

This also means that if data is encrypted but authentication is not in place, there is a risk that my client app can be a target of man in the middle attack.

thanks
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: SSL without Server Authentication