•   almost 12 years ago

Problem with Hosted MintChip server.

The Hosted MintChip server seems to be configured oddly.

When you first connect with it, it does NOT request a client certificate. Only after sending data, does it do a HelloRequest and then requests the certificate.

If you sent the client certificate anyway upon the first handshake, it doesn't make a difference as the server will do a HelloRequest anyway.

SSL implementations on most platforms probably deal with this invisibly but since I'm working with the SSL protocol directly, it is quite noticeable and quite inefficient.

I understand why this happens. The server requires the client certificate after determining what MintChip function needs to be called, but wouldn't it be better to request the cert first rather than later?

  • 1 comment

  •   •   almost 12 years ago

    When you go to the server, you are giving it your ip and allowing it to set session data for you. If it just hands out a signed request, and a man in the middle is listening, he could potentially intercept and claim your session.

    The first rule of online security: Never, ever trust data from user space, ever. Make the client go to the server every time, and never let client's tell you who they are; only let clients tell you what they want, then authorize them in your private backend.

Comments are closed.