使用自签名证书时是否可以防止中间人攻击? [英] Is it possible to prevent man-in-the-middle attack when using self-signed certificates?

问题描述

我不确定是否曾经问过类似的问题(我找不到任何问题)，但是有可能保护Client/Server免受中间人攻击吗?

I'm not sure is similar question has been asked before (I couldn't find any), but is it possible to protect Client/Server from Man-In-The-Middle attack?

我正在编写一个客户端应用程序以与服务器通信.通信将基于SSLv3. 我对服务器的自签名证书还可以，但是担心其他人会在相同的服务器名称中生成相同的自签名证书，并假装成为它.我的客户端应用程序使用OpenSSL库. [如果有所不同，则客户端和服务器基于节俭].我可以在保持对自签名证书的支持的同时避免这种攻击吗?

I'm writing a Client application to communicate with Server. Communication will be SSLv3 based. I am OK with server's self-signed certificates, but worried about someone else generating same self-signed certificate in the same server name and pretend to be it. My Client application uses OpenSSL library. [Client and Server are thrift based, if it makes any difference]. Can I avoid such attack at the same time maintaining support for self-signed certificates?

推荐答案

是.

简而言之，仅当客户端事先不知道证书时，自签名证书才比CA证书更不安全，因此无法验证服务器的身份.

In short, a self signed certificate is more insecure than a CA certificate only when the client does not know the certificate in advance and therefore has no way to validate that the server is who it says it is.

如果您将自签名证书添加到客户端，并且不接受任何其他证书，则实际上与拥有证书一样安全(或者，有人会争论甚至更多)授权签名的证书.

If you add the self signed certificate to the client and don't accept any other certificate, you're actually as secure (or, one could argue, even more so) than having a certificate authority signed certificate.

在有或没有证书颁发机构的情况下，确保SSL安全的重要部分是

The important parts to keep SSL secure with or without a certificate authority are;

• 服务器私钥(对于CA来说，是其所有根的私钥)都是保密的.
• 客户端知道服务器证书(或其CA根).

这篇关于使用自签名证书时是否可以防止中间人攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！