Application I am developing does some kind of server-side authorization. Communication is done via secure channel (HTTPS in my case, with valid SSL cert). I plan to implement something that will verify if remote server is exactly who he claims to be.
I know that no client-side protection is unbreakable, especially given enough time and knowledge. But, if I implement what I described above, is this security approach “secure enough” to protect data from being tampered with, while in transit, or to prevent man-in-the-middle attacks, and to ensure its validity?
I am considering adding another layer of security around transfered data (by using private/public key pair), but I suspect it might be enough to rely on SSL, without reinventing the wheel.
SSL is secure enough with a valid certificate, but …
A lot of people don’t know that getting an invalid certificate error is something that means “Your data is possibly going to be intercept by someone else”. They will just ignore the warning and Man-in-the-middle-attack will still work. Also, some older browser like IE6 might not even show you any warning if the certificate is invalid. The problem in this case would be the user, not the technology used. This means that instead of trying to build an other layer of security you should teach the people who use your application what does it means to get an invalid certificate error and why they should use a modern browser.