使用自签名证书时是否可以防止中间人攻击?
我不确定是否曾经问过类似的问题(我找不到任何问题),但是有可能保护Client/Server免受中间人攻击吗?
I'm not sure is similar question has been asked before (I couldn't find any), but is it possible to protect Client/Server from Man-In-The-Middle attack?
我正在编写一个客户端应用程序以与服务器通信.通信将基于SSLv3. 我对服务器的自签名证书还可以,但是担心其他人会在相同的服务器名称中生成相同的自签名证书,并假装成为它.我的客户端应用程序使用OpenSSL库. [如果有所不同,则客户端和服务器基于节俭].我可以在保持对自签名证书的支持的同时避免这种攻击吗?
I'm writing a Client application to communicate with Server. Communication will be SSLv3 based. I am OK with server's self-signed certificates, but worried about someone else generating same self-signed certificate in the same server name and pretend to be it. My Client application uses OpenSSL library. [Client and Server are thrift based, if it makes any difference]. Can I avoid such attack at the same time maintaining support for self-signed certificates?
是.
简而言之,仅当客户端事先不知道证书时,自签名证书才比CA证书更不安全,因此无法验证服务器的身份.
In short, a self signed certificate is more insecure than a CA certificate only when the client does not know the certificate in advance and therefore has no way to validate that the server is who it says it is.
如果您将自签名证书添加到客户端,并且不接受任何其他证书,则实际上与拥有证书一样安全(或者,有人会争论甚至更多)授权签名的证书.
If you add the self signed certificate to the client and don't accept any other certificate, you're actually as secure (or, one could argue, even more so) than having a certificate authority signed certificate.
在有或没有证书颁发机构的情况下,确保SSL安全的重要部分是
The important parts to keep SSL secure with or without a certificate authority are;
- 服务器私钥(对于CA来说,是其所有根的私钥)都是保密的.
- 客户端知道服务器证书(或其CA根).