证书认证选项 [英] Certificate authentication options
问题描述
你好,
这是我的第一个问题.我没有找到任何滚动网络的解决方案(谷歌,...),这就是为什么我在这里发布问题.
我们在IIS 6上有一个用ASP编写的网站.客户(公司)使用我们的网站向开发人员发布有关问题和新订单的消息.假设您要向开发人员发送服务消息,并且您俩都使用我们的网站.您必须使用签名证书登录,然后转到发送消息"部分并发布消息.一切运行良好,在所有步骤中我们都实施了安全措施,需要有效的证书.甚至发布一条消息,因为这条消息可能价值不菲(请向开发人员订购新产品,...).
上周,我们的一位客户向我们提出了有关伪造证书的问题.井证书必须由4个不同的私人机构签发(不接受其他机构),这里的担心是他们雇用了一些安全团队来进行检查.他们对我们说,只有了解客户端的CERT_SUBJECT,他们才能轻松闯入并发布消息. CERT_SUBJECT存储在数据库(MSSQL)中,他们真正担心的是是否有人会窃取此信息.
所以我想知道的是:
-是否可以以某种方式通过cert_subject没有证书?
-如果是这样怎么办?有什么工具吗?我发现没有人只是伪造http标头
-是否可以避免此安全问题?
-他们在骗我们,以便他们获得一些奖金或更少的付款吗?
-也可以在linux/unix上完成吗?
-是否有可能拥有来自同一机构的一个证书并更改了cert_subject?证书可以轻松修改/编辑吗?
编辑
-我刚刚发现有可能用curl做到这一点吗?
他们对我们说,他们看到了这种情况,并且我们也知道如何做到这一点,但是我们当中没人知道这一点,所以请有人帮助我.
谢谢您,Jaka Razgorsek
Hello,
this is my first question here. I didn''t find any solution scrolling the web (google, ...), that''s why i''m posting a question here.
We have a website written in asp on IIS 6. The clients (companies) uses our website to post messages to their developers about issues and new orders. Let''s say you want to send a service message to your developer and you both use our website. You have to login using a signed certificate and then go to send message section and post a message. All works great, at all steps we implemented the security to need a valid certificate. Even to post a message, because this message can be worth a lot of money (order new product from developers, ...).
Last week one of our client address us a question about faking certificates. Well certificates must be issued by 4 different private authorities (others are not accepted), the concern here is that they hired some security team to check it out. And they say to us that they could easily break in and post messages only by knowing CERT_SUBJECT of the client. The CERT_SUBJECT is stored in database (MSSQL), and their real concern is if someone would steal this information.
So what i would like to know is:
- is it possible to pass cert_subject somehow not having certificate?
- if so how? are there any tools? i found none only to fake http headers
- is it possible to avoid this security issue?
- are they lying to us so that they would receive some bonus or less payments???
- can this be done also over linux/unix?
- is it possible they had one cert from the same authority and changed cert_subject in it? Can certificates be easily modified/edited?
edited
- i just found something is it maybe possible doing this with curl?
They said to us they saw this happening and that we also know how to make this but no one of us know this, so please if someone can help me.
Thank you, Jaka Razgorsek
推荐答案
不要征求可能不适合您情况的意见,而要获得他们使用的安全公司的名称并进行交谈向他们介绍.请他们演示它,如果它们是真实的,他们将很乐意与您合作解决您的安全性问题.
Instead of asking for opinions that may are may not be accurate to your situation, get the name of the security company that they used and talk to them about it. Ask them to demonstrate it and, if they''re real, they''ll be happy to work with you on your security issues.
这篇关于证书认证选项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
