我有一个简短的问题:为什么我需要SSL证书(我的意思是仅证书而不是SSL连接)?
在我的情况下,谷歌浏览器检测到该连接已加密并且安全,但是所有内容都是红色的,因为我是自己创建证书的。如果连接安全,为什么需要SSL证书?
仅仅因为到192.168.xxx.xxx的流量不会超出您网络的边界,并不意味着它是安全的。
Especially if you have BYODs attached to the network (and even if not, you don't want to be a hard shell with a juicy interior), someone can bring a compromised laptop or phone, attach it to the network, and a virus can intercept everything going on the network (see firesheep).
So you have to assume that the network is malicious - treat your LAN as if it were the internet.
So now the question goes back - why can't I rely on a self-signed certificate (both on a local network as well as the internet)?
Well, what are you protecting against? TLS (SSL) protects against two things:
Interception - even if I MITM you (I become your router), I can't read what you're sending and receiving (so I can't read your Credit Card numbers or password)
Spoofing - I can't inject code between you and the server.
So how does it work?
I connect to the server and get a certificate signed by a CA. This CA is considered trusted by the browser (they have to go through all kinds of audits to get that trust, and they get evicted if they break it). They verify that you control the server and then sign your public key.
So when the client gets the signed public key from the server, he knows he's going to encrypt a message that only the destination server can decrypt, as the MITM wouldn't be able to substitute his own public key for the server's (his public key wouldn't be signed by a CA).
Now you can communicate securely with the server.
What would happen if the browser would accept any SSL cert (self signed)?
还记得浏览器如何从伪造的MITM证书中分辨出官方证书吗?由CA签署。如果没有CA,那么浏览器实际上就无法知道它是在与官方服务器还是在与MITM通信。
因此,自签名证书非常重要。
但是,您可以做的是生成证书并将其设置为“根”证书(实际上,为内部计算机启动自己的CA)。然后,您可以将其加载到浏览器CA存储中,并且无需通过letencrypt(顺便说一下,这就是企业网络监视工具的工作方式)就可以通过SSL进行通信。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句