Is it possible to prevent man-in-the-middle attack when using self-signed certificates?

Question

I'm not sure is similar question has been asked before (I couldn't find any), but is it possible to protect Client/Server from Man-In-The-Middle attack?

I'm writing a Client application to communicate with Server. Communication will be SSLv3 based. I am OK with server's self-signed certificates, but worried about someone else generating same self-signed certificate in the same server name and pretend to be it. My Client application uses OpenSSL library. [Client and Server are thrift based, if it makes any difference]. Can I avoid such attack at the same time maintaining support for self-signed certificates?

Answer 1

Yes.

In short, a self signed certificate is more insecure than a CA certificate only when the client does not know the certificate in advance and therefore has no way to validate that the server is who it says it is.

If you add the self signed certificate to the client and don't accept any other certificate, you're actually as secure (or, one could argue, even more so) than having a certificate authority signed certificate.

The important parts to keep SSL secure with or without a certificate authority are;

• The server private key (and in the case of a CA, the private keys of all its roots) is kept secret.
• The client knows the server certificate (or its CA root).

Answer 2

You can hard-code the server's certificate and compare it against what you receive.

Or better yet, create a CA certificate and server certificate, signed by the CA. Have the CA trusted on the client (again by hardcoding it in your application) and validate received server certificate using the CA certificate.