自签名和/或过期的HTTPS证书是否比仅使用HTTP更糟糕？ [英] Is self-signed and/or expired HTTPS certificates worse than just using HTTP?

问题描述

尽管您收到大红色威胁警告，告诉您该证书尚未经过其中一个证书颁发机构验证或已过期，但与使用该证书相比，它有什么不妥HTTP？是不是更差？

Despite the fact that you get a big red threatening warning telling you that the certificate has not been verified by one of those certificate authorities or has expired, what is bad with it in comparison to just using HTTP? Is it worse or not?

根据Google Chrome浏览器（ http://www.sslshopper.com/assets/images/chrome-beta-ssl-2.png ）«攻击者可能试图拦截你的通信» 。是什么让这个浏览器和几乎所有其他人在自签名/过期证书的情况下提出此警告（我没有写明确证明为无效的证书）而不是在使用HTTP浏览的情况下？再次，它不如使用HTTP浏览安全吗？

According to Google Chrome (http://www.sslshopper.com/assets/images/chrome-beta-ssl-2.png) « an attacker may be trying to intercept yours communication ». What makes this browser and almost all others raising this warning in the case of a self-signed/expired certificate (and I did not write a certificate explicitly verified as invalid) and not in the case of browsing with HTTP? Again, is it less secure than browsing with HTTP?

使用自签名HTTPS证书浏览网站显然比使用HTTP浏览完全相同的网站更具威胁性，那些现代浏览器行为是一个骗局，让诚实的公司购买他们可能不需要的SSL证书？

It is clearly more threatening to browse a website with self-signed HTTPS certificate than browsing the exact same website with HTTP so, are those modern browser behaviors a scam to make honest companies buy SSL certificate that they may not need?

推荐答案

在所有评论和进一步研究之后，我添加了自己的答案。

After all the comments and further researches, I add my own answer.

我认为是自签名和/或过期的HTTPS证书（会引发警告在浏览器中更糟而不仅仅是因为以下原因使用HTTP：

I consider that a self-signed and/or expired HTTPS certificates (that raise a warning in the browser) are worse than just using HTTP for the following reason:

当用户使用HTTPS浏览时，他/她假设它是安全的，然后网站应返回有效的证书。如果不是这种情况（自签名和/或过期的HTTPS证书）则不安全。它可能是证书配​​置/部署中的真正威胁或简单问题，但仍然是一个问题，如果用户没有关于此站点的更多信息，用户应该停止浏览。

When a user is browsing with HTTPS, he/she presumes that it is secure and then the website should return a valid certificate. If it is not the case (self-signed and/or expired HTTPS certificate) then it is not secure. It could be a real threat or a simple problem in the certificate configuration/deployment but still, it is a problem and the user should stop browsing if he/she don’t have more information about this site.

然而，有一种情况，我今天发现自己，用户可以获得有关该网站的更多信息。假设一家小公司只有两名员工需要访问网站管理平台。如果这两个员工都知道该平台没有由任何CA（证书颁发机构）签署的证书，那么通过此不安全的HTTPS进行通信比通过不安全的HTTP进行通信更好，因为至少通信是加密的。这样做可以减少攻击的可能性，即使它没有阻止它。

However, there is a situation, in which I found myself today, where a user have more information about the website. Let imagine a small company in which only two employees need to access a website administration platform. If those two employees are aware that the platform does not have a certificate signed by any CAs (Certification Authorities), it is still better to communicate through this unsecured HTTPS than through unsecured HTTP because, at least, the communication is cyphered. Doing this would reduce the attack possibilities even if it does not prevent it.

这就是说，即使今天的HTTPS证书可以自由而快速地交付，它也会很棒在昂贵的证书时，要在HTTP和HTTPS之间建立中间协议。一种非常安全的协议而不是HTTP，其中没有像SSL证书那样的身份验证，但数据是加密的。

That said, even if today HTTPS certificate can be delivered freely and quickly, it would have been great, at the time of costly certificates, to have an intermediary protocol between HTTP and HTTPS. A not-less-secure-protocol-than-HTTP where there is no authentication like SSL certificates but where the data is cyphered.

这篇关于自签名和/或过期的HTTPS证书是否比仅使用HTTP更糟糕？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！