You might also read Bruce Schneier's book called "Applied Cryptography", (and his other books, too). Every security system has its inescapable flaws. HTTPS/SSL/TLS, for example, depends on the certificates not being compromised while they're still valid, and on the computational complexity involved in deciphering for the chosen symmetric key encryption algorithm. I think the default with JSSE is to use DESede for the symmetric encryption, which security researchers have "cracked" for an individual message in under 48hrs with highly distributed processing (tens of thousands of computers cooperating). In other words, HTTPS is good for keeping messages from criminals (they have better and easier ways to get your credit card numbers!), but capable governments can decode the messages.
Of course, this is off-topic, so you should look for more information elsewhere as Odi suggested.
-Eric.
Querent wrote:
Dear Odi,
I am using jsse for the ssl implementation. I still want to use HttpClient in my program. If I am assuming that the server and client certificate both valid and they're communicating to each other. Are they communicating in a secure line? (ie: no one can get or decrypt the data ?)
Do you have any reference or links to read to strengthen the communication between client and server?
Thanks in advance
Quent
Ortwin_Glück <[EMAIL PROTECTED]> wrote: Dear Querent,
SSL is not implemented by HttpClient but is provided by an external company such as Sun. HttpClient uses the SSL implementation that you chose. How secure the SSL connections are is dependent on the algorithm used. To be sure you should disable known weak algorithms in your SSL implementation. Furthermore you can check the server certificate and supply a client certificate. For a ultra-sensitive data (like banking applications) it is certainly not sufficient to have just the code you posted.
HTH
Odi
Querent wrote:
Dear all,
I'd like to know how secure it is ssl in HttpClient. I set up the host configuration using
HttpClient client = new HttpClient(); client.setStrictMode(true); client.getHostConfiguration().setHost(LOGON_SITE, LOGON_PORT,
"https");
while LOGON_SITE and LOGON_PORT is the address of https site. I am able to do either GetMethod or PostMethod.
Is my set up enough for HttpClient such that my program communicate using secure connection ? Does HttpClient reliable on ssl ?
Thank a lot.
quent
--------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now
only $29.95 per month!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
