0

I'm trying to log in to a web server over SSL from a client application.

I don't want the username and password to be sent over plaintext, so I would like to encrypt my traffic and subsequent REST calls using the SSL certificate provided by the web server.

So far, my code retrieves the certificate from the server, and from that I can retrieve the public key.

        public void testConnectionTo(String aURL) throws Exception {
        URL destinationURL = new URL(aURL);
        HttpsURLConnection conn = (HttpsURLConnection) destinationURL
                .openConnection();
        conn.connect();
        Certificate[] certs = conn.getServerCertificates();
        for (Certificate cert : certs) {
           System.out.println(cert.getPublicKey());

        }

This returns 3 different RSA public Keys. Which one do I use, and how (in pseudo code/code) do I use this public key to encrypt my outbound traffic?

Improve this question
11
  • 2
    If you are using HTTPS, as in accessing a URL with a https:// protocol, your traffic is automatically and transparently encrypted. What exactly are you trying to achieve? Getting sever certificates is mostly to check if you accept them. Commented Aug 10, 2017 at 15:17
  • So using HTTPS, as I am now, I won't be vulnerable to man in the middle attacks? Commented Aug 10, 2017 at 15:19
  • Yes, as long as you are really trusting the certificates that the server gives you, and do not accept outdated ciphers. Here are ciphers recommendations by Mozilla from 2016 if you want the gory details. JVM has its own repository of trusted root certificates, and would normally consult your OS's trusted CA list, too. You can check the connection's certificate additionally if you want to be extra paranoid, and close the connection if you think the certificate may be compromised, or know it is revoked. Commented Aug 10, 2017 at 15:25
  • Great. So I would just verify the SSL certificate once at the start of the connection using Certificate.verify()? Commented Aug 10, 2017 at 15:28
  • @9000 is incorrect and MITM attacks are a real danger when conecting via an unknown WiFi HotSpot. Commented Aug 10, 2017 at 15:30

1 Answer 1

Reset to default
2

If you are using an https:// as the URL protocol, the underlying the connection will automatically be encrypted, you don't need to do anything with the connection's server certs.

You shouldn't need to take any additional action to encrypt/decrypt the traffic.

The value for inspecting the certifications would be to see things like who the issuing agency is, and if you needed to do additional validation against the certificate .. for instance, if you were to validate that the cert was issued to the site that you are connecting to, to attempt to detect if somebody is launching a man-in-middle with an unmatched cert.

But in terms of straight wire encryption (preventing eavesdroppers) .. that is done automatically.

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

Thanks, where does verifying the SSL certificate come in to play?
For Instance, if the cert is an instanceof X509Certificate you could then check to see what the signing algorithm was, or who the issuing authority was. Then, if the cert didn't meet your standards, you could refuse to accept the connection.
Any advice on how I would specify my certificate standards/check the certificate matches my standards?
Wire encryption is that you can't just look at the packet stream and see what is in the packets (the way you can with http) b/c the data is encrypted automatically with the certs public key .. whether or not you trust that cert is a different issue.
@zaph: I'm not familiar with Charles, but proxies like that work because you explicitly add the proxy CA cert to your list of trusted certs on the device you want to MITM. Otherwise it will detect the MiTM.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.