当数字证书用于保护网站(使用SSL)时如何工作? [英] How do digital certificates work when used for securing websites (using SSL)?
问题描述
请帮助我了解整个过程。我了解网络浏览器包含证书颁发机构(CA)的根证书,例如verisign,Entrust,Comodo等,但是当用户访问安全页面时究竟会发生什么? Web浏览器是否向CA的服务器发送请求以验证证书,还是仅使用CA的根证书(在浏览器中)来验证证书?
我使用了一些HTTP嗅探器并登录了gmail(登录页面是安全的),但没有看到去Google以外的任何网站的请求,这是否意味着它仅使用CA的根证书?
这取决于您的浏览器/ OS配置。基本上,浏览器或操作系统具有受信任的根权限列表(Mozilla拥有其自己的列表,IE使用Windows列表)。
当SSL握手发生时,站点检查证书以查看它是否由受信任的机构之一签名,并且服务器名称是否与证书中的服务器名称匹配。
接下来发生的情况取决于浏览器或操作系统配置。 CA具有吊销列表功能(它可以是大列表,也可以是单独的服务(OCSP),您可以在其中询问证书是否仍然有效)。如果您的浏览器/操作系统配置为检查此,则将执行此额外步骤。默认情况下。
Please help me understand how the process goes. I understand that web browsers contain root certificates for certificate authorities (CAs) like verisign, Entrust, Comodo .. etc, but what exactly happens when a user accesses a secure page? Does the web browser send a request to the server of the CA to verify the ceriticate or it just uses the CA's root certificate (in the browser) to verify the certificate?
I used some HTTP sniffer and logged on to gmail (the login page is secure) but didn't see requests going to any websites other than google, does that mean it only uses the CA's root certificate?
It depends on your browser/OS configuration. Basically a browser or an OS has a list of trusted root authorities (Mozilla has it's own list, IE uses the Windows one).
When the SSL handshake takes place the site certificate is examined to see if it is signed by one of the trusted authorities, and if the server name matches the one in the certificate.
What happens next depends on the browser or OS configuration. CAs have a revocation list function (its either a big list or a separate service (OCSP) where you can ask if a certificate is still good). If your browser/OS is configured to check this then this extra step will happen.
Firefox and Windows will check OCSP services by default if they are available, neither check CRL lists by default.
这篇关于当数字证书用于保护网站(使用SSL)时如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
