Home > Back-end >  Are MITM possible when using IP
Are MITM possible when using IP

Time:09-17

If I'm making TLS requests to an API server that I'm referencing by IP, are the kinds of MITM attacks that certificate validation prevents still possible?

Background info if it clarifies the question: I'm making TLS requests to a REST API with a static IP that has no domain name associated with it. To make this work in Go, I have to set the InsecureSkipVerify: true, at the Transport layer of my HTTP Client. Does this make my requests less secure? I would assume it does but I don't really know why.

CodePudding user response:

As @James noted the IP is an irrelevant component of a TLS handshake.

While the standard procedure is:

  • dial hostname/port
  • DNS lookup hostname to get IP
  • TLS handshake w/ IP
    • reveals hostnames certificate identity
    • verify cert name matches hostname

Using InsecureSkipVerify: true skips the last step - and is generally only used during development/testing.

You can however use a different name, in this last step, for the certificate identity to match: leveraging the ServerName field in tls.Config:

tc = &tls.Config{
    ServerName: "myhostname", // certificate identity
    RootCAs:    rootca,
    // InsecureSkipVerify: true // <- avoid using this
}

d := tls.Dialer{
    Config: tc
}

conn, err := d.Dial("tcp", "127.0.0.1:8080")

Here we are dialing an IP address, performing a TLS handshake, but instead of the default behavior of comparing the host cert with 127.0.0.1, it will instead verify it matches myhostname.

Page link:https//www.codepudding.com/Backend/548085.html

Prev:Using JSON.stringify on [object Object] gives "[object Object]" on React
Next:scanning a string separated by ":" in golang
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding