[cryptography] "best practices" for hostname validation when using JSSE

ianG iang at iang.org
Sat Aug 10 03:14:20 EDT 2013

On 9/08/13 22:03 PM, Patrick Pelletier wrote:
> One thing mentioned in the "Most Dangerous Code in the World" paper (and
> I've verified experimentally) is that JSSE doesn't validate the hostname
> against the X.509 certificate, so if one uses JSSE naively, one is open
> to man-in-the-middle attacks.  The best solution I've been able to
> figure out is to "borrow" the hostname validation code from Apache
> HttpComponents.  But I'm curious what other people who use JSSE are
> doing, and if there's a "best practice" for doing this.

The problem is that you are into an area that is architecturally 
properly placed with the application.  That is, the library underneath 
should not do name-based validation, because it does not really care 
what a name is.  ZT and all that.

Yet, the apps don't do it.  The HTTPS-style hostname validation is still 
something that belongs in application space, but because of the general 
failure in application space to manage the whole area of certificates, 
large chunks have been both dumbed down and pushed into library space.

In contrast to browser-HTTPS dumbing down (we only do DNS server names) 
the original purpose / space for certificates was supposed to be huge 
and all-encompassing.  So kickback:  especially as you are contemplating 
your own CA, what do you want to put in the cert?  It's a smorgasbord of 
opportunity ...

> Apologies if this isn't on-topic for this list; I know you guys mostly
> discuss higher-level issues, rather than APIs.  I already tried asking
> on Stack Overflow, and they said it was off-topic for Stack Overflow:
> http://stackoverflow.com/questions/18139448/how-should-i-do-hostname-validation-when-using-jsse
> So, a meta-question would be: where is the right place to ask this
> question?  I haven't been able to find a JSSE-specific mailing list.

Which tension between "too much choice" and "programmer budget" leads to 
that paper you cite.  And 'best practices' is really not applicable 
here, it's turtles all the way down.  There is no right answer, nor a 
right place.  There be dragons!  Good luck  :)


> Thanks,
> --Patrick
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list