代理可以更改 SSL 证书吗? [英] Can proxy change SSL certificate?

问题描述

我注意到一件有趣的事情.每次我访问公司中启用 SSL 的网站时，例如chass.com.SSL 证书不是来自像 VeriSign 这样的知名 CA，而是我公司的 IT 部门.我们使用动态代理(我不知道如何解释，但我们肯定不需要在 IE->connection 部分设置它)为每个 Internet 访问.我猜测代理将 SSL 证书更改为我们 IT 自己的证书.我的猜测:每次 SSL 连接开始时，代理都会接受我的 HTTPS 请求，从网站获取证书(我们称之为 SSL_Chase，对于 SSL 和用于数据加密的对称密钥)，将证书更改为我们自己的 IT证书(我们称之为 SSL_IT)并将其与响应一起发送给我.我填写了用户名和密码，我的机器使用 SSL_IT 加密我的数据，我们的代理获取它并解密它.然后代理使用 SSL_Chase 对其进行加密并发送到 Chase.所以chase认为我们的代理是我，我认为我们的代理是chase，除了IT证书不是chase的(我想大多数用户不会注意到).这意味着，IT 部门知道我们发送的所有内容，然后发送给我！！我想知道我的猜测是否可能，从 SSL 连接算法的角度来看.希望有人能给我一个提示.

I noticed an intersting thing. Every time when I access a SSL enabled website like chase.com in my company. The SSL certificate is not from a well known CA like VeriSign but the IT department of my company. We use a dynamic proxy (I don't know how to explain but we don't need to set it up in IE->connection section for sure) for every internet access. I was guessing that the proxy changes the SSL certificate to our IT's own certificate. My guess: Every time a SSL connection start, the proxy take my HTTPS request, get the certificate (let's call it SSL_Chase, for both SSL and the symetric key for data encryption) from the website like chase, change the certificate to our own IT certificate (let's call it SSL_IT) and send it with the respose to me. I fill out the user name and passowrd, my machine using SSL_IT to encrype my data and our proxy get it and unencrype it. Then the proxy encrype it using SSL_Chase and send to chase. So chase think our proxy is me and I think our proxy is chase, except the IT certificate is not from chase (I think most users won't notice it). This means, IT department knows everything we send to chase and chase send to me!! I was wondering if my guess is possible, from the SSL connection algorithm point of view. Hope anybody can give me a hint.

非常感谢！

推荐答案

它可能是这样的:您将 IT 部门的证书作为计算机上的受信任根证书.当您浏览到 HTTPS 地址时，代理会即时为该站点生成一个证书，由您站点上受信任的证书签名.然后您与代理进行通信，代理与真实站点进行通信.旅行的两条腿"都通过 SSL/TLS，因此您可以免受中间随机人员的影响，但您的 IT 部门理论上可以查看所有通信.

It probably goes like this: you have your IT department's certificate as a trusted root certificate on your computer. When you browse to an HTTPS address, the proxy generates a certificate for that site on the fly, signed by the certificate that's trusted on your site. You then communicate with your proxy, and the proxy communicates with the real site. Both "legs" of the travel are over SSL/TLS, so you're safe from a random man in the middle, but your IT department can theoretically view all the communication.

这篇关于代理可以更改 SSL 证书吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！