问题描述
在HTTPS安全模型中,最薄弱的部分是浏览器中可信CA的列表。有很多方法可以让用户在列表中注入额外的CA,用户会信任错误的人。
In the HTTPS security model, the weakest part is the list of trusted CA in the browser. There are many ways that someone could inject addition CA to the list that users will trust the wrong guy.
例如,贵公司的公共计算机或PC。管理员可能会强迫您信任自己发布的CA,对于具有HTTPS中继的HTTPS代理服务器可能非常不安全。因此,他们将能够发送您的消息,登录名和密码,甚至浏览器会告诉您,您正在使用受信任的SSL连接。
For example, a public computer, or PC in your company. The administrator could force you to trust a CA issued by himself, it could be very insecure with a HTTPS proxy server with HTTPS relay. As a result, they will able to SPY your message, login, and password even browser tell you that your are on trusted SSL connection.
在这种情况下,什么可以通过网络应用程序开发人员可以做些什么来保护用户和系统?
In this case, what can web application developer could do to protect user and also the system?
推荐答案
作为一名网络应用程序开发人员,你几乎无能为力。
As a web application developer there is very little you can do about this.
这个问题需要在堆栈中进一步处理。
This issue needs to be dealt with further down the stack.
如果世界各地有人想要:
If someone half way around the world wants to:
a。将假根CA放在某人的计算机上
a. Put a false root CA on someone's computer
b。在该CA下为您的域颁发证书
b. Issue a cert for your domain under that CA
c。冒充您的网站
d。将某人的域的本地DNS条目指向不同的IP
d. Point someone's local DNS entry for your domain to a different ip
上述步骤均不涉及您的应用程序涉及或咨询,因此这是良好的网络管理和安全性很重要的地方。
In none of the above steps is your application involved or consulted so this is where good network administration and security is important.
除此之外,也许有人在他们的个人网络上本地做这件事是合理的。我是谁阻止他们?
Aside from that, maybe there's a legitimate reason for someone to do just this locally on their personal network. Who am I to stop them?
这实际上是企业网络代理过滤器所做的事情,并且他们有权这样做。
This is essentially what corporate web proxy filters do and they are within their rights to do it.
As至于阻止某人恶意采取上述步骤,这些步骤需要放在客户机器的管理员身上。
As far as stopping someone malicious from taking the above steps thats something that needs to be put on the administrators of your customers machines.
这篇关于如何防止来自服务器端的HTTPS中间人攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!