My context:
I have a ECHD protocol, my main concern is MITM attack, it doesn't matters if you do HMAC or anything else in future to sign requests if your key exchange is compromised,
Far from https and third party certificate authority, is it possible to protect this channel, taking in account (supposing https is not safe, and we don't have a certificate authority) from MITM attacks?
What I have in mind:
Do ECDSA, with a hardcoded "salt" or "pepper" present in mobile and backend, which essentially is never shared in an "Hostile" channel through networK:
Mobile: ECDSA(message+salt/pepper) -> Send to backend with public key
Backend: (incoming data + salt/pepper) _> Verify signature with mobile's public key
This process is in two sides (We'll do the same when we get a service response)
This is a humble approach, we work in the finance industry and we are looking to level up our security in the worst case; i know that having hardcoded and non-rotating data/key/salt is not, in most cases, a good idea; the feedback from experts, in this context is priceless, how you protect this channel without https or certificate authorities? of course, maybe it's impossible, but maybe not, I hear you and thanks in advance!