| ||
This sin applies to any application that behaves as a client or server on the network where the connections are authenticated, or when there is any reason to need to know with certainty what system is on the other end of the connection. If youre re-implementing chargen, echo, or tod (time of day), then you dont need to worry about this. Most of the rest of us are doing more complex things and should at least be aware of the problem.
Using SSL (or to be precise, SSL/TLS) is a good way to authenticate servers, and if your client is a standard browser, the supplier of the browser has done most of the work for you. If your client isnt a standard browser, you must check for two things: whether the server name matches the certificate name , and whether the certificate has been revoked . One little-known feature of SSL is that it can also be used to authenticate the client to the server.