I am developing a network communication software library that uses handshaking s

Question

I am developing a network communication software library that uses handshaking similar to STARTTLS to enable upgrading to TLS security. I will be embedding a custom critical OIN policy into the certificates to lock the certificates to my application. Because the software will be used in embedded IOT devices that may not have any maintenance for decades I can't put expiration dates in the certificate chain. To make this work I will need to embed a root certificate in my software library. Is this considered bad practice? It will be available as a static library. Is this another potential security hole? I expect that if the root certificate doesn't match the client will just reject it. Thanks for any advice.

Explanation / Answer

I am assuming your question is about the certificate of the server which the library is going to communicate with.

It's secure in the sense that it will be prevent the application using the library from inadvertently connecting to a server which is not trusted by your library. But it will not prevent malicious intent by the user of the library - i.e. the application can replace the certificate stored in your library. But this is the case even with browsers etc. The user of the browser can ignore warnings by the browser which says that certificate of the site you are connecting to isn't trusted.

There isn't any way to prevent some one who wants to connect to a wrong site as long as the wrong site allows him to connect.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.