[sehrope]

A lot of folks don't realize this but it's not just web browsers that you need to worry about. When your app connects over SSL to any service that it's consuming you need to be properly authenticating the remote server. For external HTTP requests (ex: to an external REST services) many programming languages/environments piggy back on the host machine's list of trusted roots (ie. the same ones that your browser uses) but a lot do not. They may just skip over the authentication piece of the SSL handshake.

This is especially true for database drivers. If your database driver includes a "use SSL" flag but you're not actually specifying a pre-shared certificate to authenticate the remote server then it's probably not authenticating the remote server[1]. Think about that for a second ... How would it?

I wrote about this a little while back[2] and gave a talk that went into this in a bit more detail this week (slides should be up next week). The gist of it is that if you don't authenticate the remote server (by authenticating its SSL cert) you're vulnerable to a MITM attack every time you connect. Not just the first time, every time. With SSH we're used to pinning remote host keys the first time you connect but with SSL there's no such thing[3] and you have to be careful to handle it properly.

[1]: I say "probably" here because it's technically possible that your remote server has an SSL certificate that is signed by the same set of trusted CAs that you use for HTTP requests and your DB driver actually validates it but it's not likely. Most database SSL certificates are either self-signed or self-signed via a CA signing cert controlled by a DBaaS. For example for RDS, Amazon signs the SSL certificates for all MySQL databases with a single CA signing cert: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_M...

[2]: http://blog.jackdb.com/post/55178133114/using-self-signed-ss...

[3]: No reason there couldn't be SSL cert pinning and it's something we've considered for our product. However you can't really automate it (you need a user to say "this is okay...") so we decided to have it be a manual step that you can just click to fetch/import: http://blog.jackdb.com/post/55349902000/auto-importing-ssl-c...