它是安全的接受自签名的证书？ [英] Is it safe to accept self-signed certificates?

问题描述

我有一个Android应用程序，我不断收到 javax.net.ssl​​.SSLException：不受信任的服务器证书当我试图用我自己的服务器使用它我自己的自签名的证书。

I have an Android app, and I keep getting javax.net.ssl.SSLException: Not trusted server certificate when I try to use it with my own server with my own self-signed certificate.

我想配置的Andr​​oid 的TrustManager 来接受自签名证书，或接受所有的证书，所以我可以调试我的应用程序。我读过一堆资源对这个网站如何做到这一点。这是安全的吗？

I am thinking of configuring the Android TrustManager to accept self-signed certificates, or to accept all certificates, so I can debug my app. I've read a bunch of resources on this site about how to do that. Is this safe to do?

推荐答案

没有，这不是安全的。它破坏了大部分的SSL / TLS的安全优势。它让你的应用程序开放人在这方面的中间人攻击。接受所有自签名证书几乎是一样糟糕，不使用SSL的。

No, this is not safe. It destroys most of the security benefits of SSL/TLS. It leaves your app open to man-in-the-middle attacks. Accepting all self-signed certificates is almost as bad as using no SSL at all.

不要这样做。不要修改默认策略来接受所有证书，或所有自签名的证书，或禁用主机名验证检查。

Do not do this. Do not modify the default policy to accept all certificates, or all self-signed certificates, or disable the hostname verification checks.

有几个候选替代品是合理的。

There are a few candidate alternatives that are reasonable.

一个合理的选择是引入开发商的调试配置选项。如果启用此选项，您可以禁用证书验证;如果禁用，则使用标准的证书验证检查。默认的应该是它被禁用。此外，请确保该选项只能在启用了开发商设置的设备被激活，并且与一个谷歌开发者帐号注册，以prevent无意中破坏自己的安全一个普通用户。

One reasonable option is to introduce a configuration option for developer debugging. If this option is enabled, you can disable the certificate verification; if it is disabled, you use the standard certificate verification checks. The default should be for it to be disabled. Also, make sure that the option can only be enabled on devices that have developer settings enabled and that are registered with a Google developer account, to prevent a normal user from inadvertently destroying their own security.

此外，另一种合理的选择是你自己的自签名的证书添加到证书存储，因此，这将是值得信赖的。 Android的使这比需要更痛苦一点;什么，你需要做的就是实现自己的自定义的TrustManager 引用定制信任库。自定义信任库将包括自签名的证书。自定义的TrustManager 将接受证书，如果它是一个自签名的证书相匹配，或者如果它通过了所有的常规证书验证检查。你可以找到如何做到这一点的这个细节博客文章和本教程。

Alternatively, another reasonable option is to add your own self-signed certificate to the certificate store, so that it will be trusted. Android makes this a bit more painful than necessary; what you'll need to do is implement your own custom TrustManager that references a custom TrustStore. The custom TrustStore will include your self-signed cert. The custom TrustManager will accept the certificate if it matches that one self-signed cert, or if it passes all the regular certificate verification checks. You can find details on how to do that on this blog post and this tutorial.

无论这些都将让你在本地测试和调试，并确保您运行的是相同的code测试和生产。这也将避免不安全的测试code的风险泄漏到生产，危及用户的安全性。

Either of these will let you test and debug locally, and ensure you are running the same code in test and in production. It will also avoid the risk of insecure test code leaking into production and compromising the security of your users.

如果您的应用程序写入到连接到一台特定的服务器，您可以选择使用证书钉扎得到更好的安全性。这基本上意味着你将只接受由一个单一选择的证书颁发机构（CA）签署的证书，而不是一个被任何几十CA的是Android的信托签署。你可以找到如何做到这一点的本教程<详细信息/ A>，或使用的Moxie Marlinspike的图书馆（读的他介绍这里），或这个博客帖子。

If your app is written to connect to a single specific server, you can optionally get even better security by using certificate pinning. This basically means you'll only accept certificates that are signed by a single chosen certificate authority (CA), not one signed by any of the dozens of CAs that Android trusts. You can find details on how to do that at this tutorial, or using Moxie Marlinspike's library (read his introduction here), or this blog post.

然而，这可以说是次要的。最重要的是避免接受所有证书（或所有自签名的证书）禁用标准证书验证检查。

However, this is arguably secondary. The most important thing is to avoid disabling the standard certificate validation checks by accepting all certs (or all self-signed certs).

它是否真的重要吗？是的，这也许是。

Does it really matter? Yeah, it probably does.

调查研究发现，许多应用程序有一个严重的安全漏洞，由于禁用某些或所有的认证验证检查 - 应用程序可能有15％受到影响。在许多情况下，攻击者可能能够窃听SSL流量，他们还可以安装一个中间人攻击：例如，如果你的应用程序的用户之一是通过一个开放的无线网络连接，然后任何人范围可安装在用户（不只是窃听）一个中间人攻击。这是值得避免此漏洞影响。

Research studies have found that many apps have a serious security vulnerability, due to disabling some or all certification validation checks -- perhaps 15% of apps are affected. In many situations where an attacker might be able to eavesdrop on the SSL traffic, they can also mount a man-in-the-middle attack: for instance, if one of the users of your app is connecting via an open Wifi network, then anyone in range can mount a man-in-the-middle attack on that user (not just eavesdrop). It's worth avoiding this vulnerability.

引用

• 反思SSL发展的Appified世界。萨沙法尔，玛丽安哈巴克，亨宁Perl中，马库斯·科特和马修·史密斯。 ACM CCS 2013年参见 http://android-ssl.org/ 。

• Rethinking SSL Development in an Appified World. Sascha Fahl, Marian Harbach, Henning Perl, Markus Kötter and Matthew Smith. ACM CCS 2013. See also http://android-ssl.org/.

这篇关于它是安全的接受自签名的证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！