本地主机/本地网络 Https [英] Local Host/Local Network Https

问题描述

我目前正在贝尔法斯特女王大学攻读应用网络安全理学硕士学位.我正在撰写有关 Simple SSL 主题的论文.

I am currently pursuing MSc in Applied Cyber Security from the Queen’s University Belfast. I am doing the dissertation on the topic Simple SSL.

在此项目中，我们正在研究如何对具有网络界面的本地网络设备(例如 IP 摄像机)使用 SSL 加密.当前的浏览器将自签名证书视为安全威胁，据我们所知，在这种情况下没有使用 SSL 的可信方法.

In this project, we are investigating how to use SSL encryption for local network devices that have web interfaces, such as IP cameras. Current browsers treat self-signed certificates as a security threat and as far as we can identify there is no trusted method for using SSL in this context.

在我的论文导师 John Bustard 博士的监督下，我已经找到了解决方案.

I, under the supervision of my dissertation supervisor Dr John Bustard, have achieved the solution.

我想问一下，我们真的需要在本地主机/本地网络上使用 https 还是 http 就可以了?

I want to ask that, do we really need https on localhost/local network or http is fine?

推荐答案

我想问一下，我们真的需要在 localhost/本地网络上使用 https 还是 http 就可以了?

I want to ask that, do we really need https on localhost/local network or http is fine?

本地主机 (127.x.x.x) 上的 HTTPS 是一种资源浪费，因为您正在加密不通过实际网络的网络流量.

HTTPS on localhost (127.x.x.x) is a waste of resources, since you're encrypting network traffic that doesn't pass over an actual network.

本地网络上的 HTTPS 在现实世界中非常有价值，因为现实情况是，您对本地网络的信任程度远远超过对互联网的信任程度.如果您有有价值的数据，总有办法拦截流量.

HTTPS on the local network is quite valuable in the real world, since the reality is that you can't trust your local network much more than you can trust the internet. If you have valuable data, there's always a way to intercept the traffic.

公共证书颁发机构都不会为本地网络颁发证书.这通常是通过在本地网络上创建 CA 并在工作站和设备上安装 CA 证书作为受信任的根来实现的.

None of the public Certification Authorities will issue a certificate for a local network. This is typically implemented by creating a CA on the local network and installing the CA's certificate as a trusted root on the workstations and devices.

问题在于，一些廉价设备(如相机)通常不允许最终用户安装受信任的根证书，这意味着他们无法使用新证书在本地网络上实施 SSL.

The catch is that some inexpensive devices like cameras typically do not allow the end user to install a trusted root certificate, which means that they can not implement SSL on the local network using the new cert.

相机通常附带制造商的证书，但是它是否受信任(或应该被信任)是另一个问题.它可能由制造商自签名，也可能来自不受信任或未知的 CA

Cameras usually ship with a certificate from the manufacturer, however whether or not it's trusted (or should be trusted) is a different issue. It may be self-signed by the manufacturer, or from an untrusted or unknown CA

TL/DR:本地网络上的大多数设备都可以使用本地 CA 颁发的证书.用户无法/不知道如何更新的廉价网络设备是一个安全问题.

TL/DR: Most devices on a local network can use certificates issued by the local CA. Inexpensive network devices that the user can't/doesn't know how to update are a security issue.

这篇关于本地主机/本地网络 Https的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！