检查客户端是否已接受安全性异常 [英] Checking if a security exception has been accepted by the client
问题描述
我们有一些不使用真正的SSL证书的内部测试/开发环境。老实说,我的细节有点模糊,但底线是当访问这些环境中的子域,浏览器将提示您添加一个安全异常沿线你已经要求Firefox安全连接到示例.com,但我们无法确认您的连接是否安全:
We have a few staging environments for internal testing/dev that do not use "real" SSL certs. Honestly I'm a bit fuzzy on the details, but the bottom line is when accessing a subdomain on those environments, browser would prompt you to add a security exception along the lines of "You have asked Firefox to connect securely to example.com but we can't confirm that your connection is secure":
这可以检测通过向有问题的URL请求并处理错误代码/任何其他相关信息,它可能会回来?我找不到任何规格说明浏览器如何处理这些。
Could this be detected e.g. by making a request to the url in question and processing the error code/any other relevant information it may come back with? I could not find any specifications to indicate how this is being handled by the browser.
不必担心着陆页本身的错误,用户很清楚。但是一些请求失败,在后台这样(拉css / js /其他静态内容从不同的子域),但你不知道他们做,除非你去到firebug的网面板,并在新选项卡中打开,看到错误。 。
I don't mind the error occurring on the landing page itself, it's pretty clear to the user. However some requests fail like this in the background (pulling css/js/other static content from different subdomains) but you don't know they do unless you go to net panel in firebug and open it in new tab and see the error...
目的不是要规避这个问题,而是检测问题,并说出类似嘿,这些请求失败,你可以添加安全异常直接转到这些网址:[群链接]
The intention is not to circumvent this but rather to detect the issue and say something like "hey, these requests are failing, you can add security exceptions by going to these urls directly: [bunch of links]"
推荐答案
检查证书的有效性完全是客户的责任。只有它可以知道它必须使用HTTPS,并且它必须使用它对该主机有效的证书。
Checking the validity of the certificate is solely the responsibility of the client. Only it can know that it has to use HTTPS, and that it has to use it against a certificate that's valid for that host.
如果用户不做这些检查,因此使自己处于MITM攻击可能发生的位置,你不一定能够知道它。主动MITM攻击者可以回答执行您用来尝试检查用户正在正确做事的任务,但合法用户可能甚至不知道它。这与要使用重定向从 http:// 到 https:// :只要没有活动的MITM攻击降级连接,它就可以工作。
If the users don't make these checks and therefore put themselves in a position where a MITM attack could take place, you wouldn't necessarily be able to know about it. An active MITM attacker could answer perform the tasks you use to try to check the users are doing things correctly, but the legitimate users might not even get to know about it. This is quite similar to wanting to use redirections from http:// to https://: it works as long as there is no active MITM attack downgrading the connection.
(有一个例外,为了确保客户端已经看到了和你一样的握手:当使用客户端证书时。在这种情况下,你至少知道用cert验证的客户端会看到你的服务器证书,而不是一个MITM证书,因为在握手结束时的签名,这不是真正的你想要的。)
(There is an exception to this, to make sure the client has seen the same handshake as you: when using client certificates. In this case, you would at least know that the client that ha authenticated with a cert would have seen your server cert and not a MITM cert, because of the signature at the end of the handshake. This is not really what you're looking for, though.)
JavaScript机制一般不会让你自己检查证书。这就是说,XHR请求不受信任的网站(带有这样的警告)将以一种或另一种方式(通常通过异常)失败:这可以是一种方法来检测是否可以通过后台请求访问其他页面(虽然你一定会遇到关于同源策略的问题。)
JavaScript mechanisms generally won't let you check the certificate themselves. This being said, XHR requests to untrusted websites (with such warnings) will fail one way or another (generally via an exception): this could be a way to detect whether other pages than the landing page have are accessible by background requests (although you will certainly run into issues regarding Same Origin Policies).
而不是使用自签名证书来测试/开发,如果你部署一个测试证书颁发机构(CA)。有一些工具来帮助你这样做(使用哪一个取决于你需要的证书数量)。然后,您必须将自己的CA证书导入这些浏览器(或其他客户端),但整体测试将更加现实。
Rather than using self-signed certificates for testing/development, you would be in a much better position if you deployed a test Certification Authority (CA). There are a number of tools to help you do this (which one to use would depend on the number of certificates you need). You would then have to import your own CA certificate into these browsers (or other clients), but the overall testing would be more realistic.
这篇关于检查客户端是否已接受安全性异常的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
