Java and HTTPS url connection without downloading certificate

Question

This code connects to a HTTPS site and I am assuming I am not verifying the certificate. But why don't I have to install a certificate locally for the site? Shouldn't I have to install a certificate locally and load it for this program or is it downloaded behind the covers? Is the traffic between the client to the remote site still encrypted in transmission?

import java.io.BufferedReader; import java.io.InputStreamReader; import java.io.Reader; import java.net.URL; import java.net.URLConnection; import java.security.cert.X509Certificate;  import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager;  public class TestSSL {      public static void main(String[] args) throws Exception {         // Create a trust manager that does not validate certificate chains         TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {             public java.security.cert.X509Certificate[] getAcceptedIssuers() {                 return null;             }             public void checkClientTrusted(X509Certificate[] certs, String authType) {             }             public void checkServerTrusted(X509Certificate[] certs, String authType) {             }         } };         // Install the all-trusting trust manager         final SSLContext sc = SSLContext.getInstance("SSL");         sc.init(null, trustAllCerts, new java.security.SecureRandom());         HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());         // Create all-trusting host name verifier         HostnameVerifier allHostsValid = new HostnameVerifier() {             public boolean verify(String hostname, SSLSession session) {                 return true;             }         };          // Install the all-trusting host verifier         HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);          URL url = new URL("https://www.google.com");         URLConnection con = url.openConnection();         final Reader reader = new InputStreamReader(con.getInputStream());         final BufferedReader br = new BufferedReader(reader);                 String line = "";         while ((line = br.readLine()) != null) {             System.out.println(line);         }                 br.close();     } // End of main  } // End of the class // 

Answer 1

The reason why you don't have to load a certificate locally is that you've explicitly chosen not to verify the certificate, with this trust manager that trusts all certificates.

The traffic will still be encrypted, but you're opening the connection to Man-In-The-Middle attacks: you're communicating secretly with someone, you're just not sure whether it's the server you expect, or a possible attacker.

If your server certificate comes from a well-known CA, part of the default bundle of CA certificates bundled with the JRE (usually cacerts file, see JSSE Reference guide), you can just use the default trust manager, you don't have to set anything here.

If you have a specific certificate (self-signed or from your own CA), you can use the default trust manager or perhaps one initialised with a specific truststore, but you'll have to import the certificate explicitly in your trust store (after independent verification), as described in this answer. You may also be interested in this answer.

Answer 2

But why don't I have to install a certificate locally for the site?

Well the code that you are using is explicitly designed to accept the certificate without doing any checks whatsoever. This is not good practice ... but if that is what you want to do, then (obviously) there is no need to install a certificate that your code is explicitly ignoring.

Shouldn't I have to install a certificate locally and load it for this program or is it downloaded behind the covers?

No, and no. See above.

Is the traffic between the client to the remote site still encrypted in transmission?

Yes it is. However, the problem is that since you have told it to trust the server's certificate without doing any checks, you don't know if you are talking to the real server, or to some other site that is pretending to be the real server. Whether this is a problem depends on the circumstances.

---

If we used the browser as an example, typically a browser doesn't ask the user to explicitly install a certificate for each ssl site visited.

The browser has a set of trusted root certificates pre-installed. Most times, when you visit an "https" site, the browser can verify that the site's certificate is (ultimately, via the certificate chain) secured by one of those trusted certs. If the browser doesn't recognize the cert at the start of the chain as being a trusted cert (or if the certificates are out of date or otherwise invalid / inappropriate), then it will display a warning.

Java works the same way. The JVM's keystore has a set of trusted certificates, and the same process is used to check the certificate is secured by a trusted certificate.

Does the java https client api support some type of mechanism to download certificate information automatically?

No. Allowing applications to download certificates from random places, and install them (as trusted) in the system keystore would be a security hole.