-1

I have been researching about SSL certificates in mobile devices, especially in the banking sector. I have these questions and I have no idea where to find answers but here.

  1. Is there a technology that does a verification of the authenticity of mobile certificates before they reach the mobile device and the server -in between the channel, for instance how a VPN works, connecting a device and cloud (internet). if there is, I will appreciate a link to it.
  2. Is there a possibility for any person to specify or create a private key for encryption, just like when creating a username and password? if yes how (a link please).
  3. Is there a later technology, better than SSL certificates or an improved SSL certificate way of preventing MITM attacks?
Timothy Mach
  • 15
  • 2
  • I have the feeling that you have some wrong understanding of how certificates are used and that's why you ask these questions. I recommend that you describe the problem you actually want to solve or the assumptions you made about certificates which ultimately resulted in these questions. – Steffen Ullrich Apr 28 '18 at 12:52
  • I'm trying to figure out how to improve or most effectively use SSL certificate for Mobile Banking Application, in combination with encryption so as to avoid MITM attacks – Timothy Mach Apr 28 '18 at 22:16
  • 1
    Strict validation of the certificate by the client (i.e. pinning) avoids MITM attacks already. Given that and the kind of questions you ask I still assume that you are making some wrong assumptions about SSL and certificates but I still don't know what these assumptions are. – Steffen Ullrich Apr 29 '18 at 04:06
  • @TimothyMach Before asking detailed questions about often reviewed concepts like SSL you should start by asking simple questions about your premises. – Tom K. May 01 '18 at 13:14

1 Answers1

0
  1. I don't believe there is. Though technically some firewalls/corporate proxies do sort of MITM attack and they do verify the certificates and reencrypt the traffic with their own key, so that may be similar.
  2. You can use pre-shared keys with TLS. It is specified in RFC-4279.
  3. It is hard to compare. SSL/TLS is currently the easiest, most flexible and most user friendly. It has great interoperability and so on. It also wen through large amounts of research and testing, so it can be considered more reliable than something new. On the other hand, for specific use-cases there certainly are better option. They are just not as universal. I do not know about anything outright better than TLS in all areas.
Community
  • 1
Peter Harmann
  • 7,728
  • 5
  • 20
  • 28