This question may seem like a novice, and perhaps ‘stupid’ question but please bear with me…
I’m still struggling to find a way to get my Java application to use a keystore located inside the JAR file, and I’m very tempted just to disable certificate validation all together using the method here. However, before I do so, I just wanted to confirm why you should not do this and whether those reasons actually apply to me.
I’ve heard that no certificate validation can make your application liable to “Man In The Middle” attacks (I think), but even if I am correct, I am unsure as to what these actually are so please could somebody explain. Though, if they are what I think they could be, I’m not sure whether my application ever be subject to them because, my application only uses an SSL connection to obtain data from my website, so users do not tell the application which URLs to visit – if that makes sense…
Here’s, an attack scenario. Other’s might want to contribute some more.
Your application accesses a URL. At some point along the way (any intermediate network hop), an attacker could position himself as a “man-in-the-middle”, that is, he would pretend to be a “proxy” for your communication, being able to read everything that goes through, and even modifying it on the way: the attacker could act on behalf of the user, mislead him as to what information he gets, and basically access al data being transferred.
Enter SSL: your client receives a certificate from the server, with a valid key (Signed by a known certification authority, or present in your keystore). The server will then sign and encrypt all it sends using that key. If an attacker where to place himself in the middle, he would not be able to read the data (it’s encrypted) or modify it (it’s signed, and modification would break the signature). He could still block communications altogether, but that’s another story.
So that’s that… if you ignore your keystore, you can’t verify any server side certificate, and you open the door to man-in-the-middle attacks.