开发者

Validate SSL Certification Java/Android

I have my android application talking to the server which is protected by an SSL certificate. Below is the code for that.

final HttpPost httppost = new HttpPost("https://www.myurl.com");
final List<NameValuePair> postlist = Utils.HttpGetToHttpPost(Arguments);
httppost.s开发者_Go百科etEntity(new UrlEncodedFormEntity(postlist));
final HttpResponse response = httpclient.execute(httppost);

Now my question is how do I prevent a MITM attack. How do I ensure that Im talking to myurl.com and not another url.


After some quick research...

Using the truststore that ships with java and using only ssl communication, might just be your best protection against Man in the Middle attacks. Java, out of the box, will throw an exception if it can't trust the certificate provided by the server.

Based on what I read it is hard for hackers to impersonate the key given to a site by a Certificate Authority.

I could be wrong though.


You could restrict the HTTPS hostname verify in this way:

SSLSocketFactory sf = new SSLSocketFactory(SSLContext.getInstance("TLS"));
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);

Please refer to JSSE Reference Guide for detail customization with Java SSL connection.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜