使用 IP 地址访问 https 站点 [英] Accessing https sites with IP address
问题描述
如果我尝试使用 IP 地址而不是域名访问站点,我想知道为什么会出现证书错误.比如说 nslookup 说 google.com 是 173.194.43.96,所以我尝试浏览 https://173.194.43.96 并且我收到证书错误,说该网站提供的安全证书是针对不同网站的地址颁发的.为什么会这样?
I wonder why I am getting certificate error if I try to access a site with ip address instead of domain name. Lets say for example nslookup says google.com is 173.194.43.96, so I tried to browse https://173.194.43.96 and I got certificate error saying that the security certificate presented by this website was issued for a different website's address. Why is that so?
推荐答案
这是因为 SSL 证书是为特定域名颁发的.如果证书名称与访问的域不匹配,浏览器将显示错误.
This is because an SSL certificate is issued for a particular domain name. If the certificate name doesn't match the visited domain, the browser will show an error.
SSL 的主要功能之一是向用户证明他们确实连接到了他们请求的站点,而不是伪装成终端站点的攻击者.如果不将域名链接到证书,这是不可能的.
One of the main functions of SSL is to prove to the user that they are really connecting to the site they requested, and not to an attacker masquerading as the end site. Without linking the domain name to the certificate this would not be possible.
可以想象,浏览器证书系统本可以设计为在证书中包含 IP 地址,但这会使使用 DNS 负载平衡甚至更改托管服务提供商变得困难,因为新证书必须每次发生这种情况时都会发出.如果证书只包含 IP 地址而不包含域,这将使用户无法抵御 DNS 欺骗攻击.所以唯一的办法就是单独使用域名.
It is conceivable that the browser certificate system could have been designed to include the IP address in the certificate, but this would make it difficult to use DNS load balancing or even to change hosting providers, as a new certificate would have to be issued each time this happened. If the certificate included just the IP address and not the domain, this would leave the user defenseless against DNS spoofing attacks. So the only way forward really was to use the domain alone.
有趣的是,它是 可以获取 IP 地址的 SSL 证书 - 由于 Google 是他们自己的证书颁发机构,他们可以为自己颁发 173.194.43.96 的证书,从而可以通过 ip 安全地浏览 Google地址,只要他们使用 SNI 提供正确的证书.然而,这似乎不值得增加额外的复杂性......
As a matter of interest, it is possible to obtain an SSL certificate for an IP address - and as Google is their own certificate authority, they could issue themselves a certificate for 173.194.43.96 and thus make it possible to browse google securely by ip address, so long as they used SNI to serve up the correct certificate. It seems implausible that this would be worth the additional complexity however...
如果您想阅读更多,这是对 SSL 的一个很好的介绍:
This is a nice introduction to SSL if you want to read more:
https://timnash.co.uk/guessing-ssl-questions/
这篇关于使用 IP 地址访问 https 站点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
