aspose file tools*
The moose likes Security and the fly likes SSL without Server Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "SSL without Server Authentication" Watch "SSL without Server Authentication" New topic
Author

SSL without Server Authentication

suekar meredilko
Ranch Hand

Joined: Mar 27, 2006
Posts: 153
What is the issue if SSL is used without Server Authentication ?
I know server auth means that one is not sure if you are talking to the correct host and no means of verifying it. But will SSL session still be an encrypted one ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39534
    
  27
Encryption (via SSL) and authentication are two different concepts. One can be used with or without the other.


Ping & DNS - updated with new look and Ping home screen widget
suekar meredilko
Ranch Hand

Joined: Mar 27, 2006
Posts: 153
So so my understanding is right..

SSL without authentication (Server or Client) will still be able to encrypt the session using PKI.

This also means that if data is encrypted but authentication is not in place, there is a risk that my client app can be a target of man in the middle attack.

thanks
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SSL without Server Authentication
 
Similar Threads
SSL authentication without CA
Question on rmiregistry
HTTPS Client Authentication
INTEGRAL vs CONFIDENTIAL
Urgent Help needed!! calling a https url from java program and sending a soap envelope request