防止人通过SSL进行中间攻击 [英] Preventing man in middle attack over over SSL

问题描述

您好，我正在使用HttpWebRequest来通过我们托管的SSL通过URL发出请求.已确定用户可以使用代理服务器来拦截和编辑这些请求，我们需要防止这种情况.我使用的代理 重建它是查尔斯"并且我还在设备上安装了他们提供的客户端证书.

Hi, I am using the HttpWebRequest to make a request to a URL over SSL, which is hosted by us.  Its been identified that a user is able to use a proxy server to intercept and edit these requests, which we need to prevent.  The proxy I used to recreate this was "Charles" and I also installed the client certificate they provide, on  the device.

我试图找到一种方法来将其编码到我的应用程序中，以便在SSL握手发生后但在实际发出完整请求之前进行检查，以将服务器的公钥与已知的公钥进行比较设备(可能是硬编码的 在此阶段)，并在必要时中止操作，但尚未找到一种方法来执行此操作.  

I was trying to find a way to code it into my application to do a check after the SSL handshake takes place, but before the full request is actually made, to compare the public key from the server with one that is known on the device (probably hard coded at this stage), and abort if necessary, but haven't found a way to do this.  

有人对如何做到有任何想法吗?

Does anyone have any ideas on how this might be done?

推荐答案

我使用Fiddler.查尔斯在启动时仍然有那怪异的形象吗?

I use Fiddler. Does Charles still have that whacky image when you start it up?

也许更灵活的方法是为您的请求生成HMAC.

Perhaps a more flexible approach would be to generate an HMAC for your requests.

这篇关于防止人通过SSL进行中间攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！