如何验证 ssl 证书? [英] How are ssl certificates verified?
问题描述
安全验证 ssl 证书所需的一系列步骤是什么?我(非常有限)的理解是,当您访问 https 站点时,服务器向客户端(浏览器)发送证书,浏览器从该证书中获取证书的颁发者信息,然后使用该信息联系颁发者,并以某种方式进行比较有效性证书.
What is the series of steps needed to securely verify a ssl certificate? My (very limited) understanding is that when you visit an https site, the server sends a certificate to the client (the browser) and the browser gets the certificate's issuer information from that certificate, then uses that to contact the issuerer, and somehow compares certificates for validity.
- 这究竟是如何完成的?
- 该流程如何使其免受中间人攻击?
- 是什么阻止了一些随机人员设置自己的验证服务以用于中间人攻击,因此一切看起来"都是安全的?
推荐答案
这里有一个非常简单的解释:
Here is a very simplified explanation:
您的网络浏览器会下载网络服务器的证书,其中包含网络服务器的公钥.此证书使用受信任的证书颁发机构的私钥签名.
Your web browser downloads the web server's certificate, which contains the public key of the web server. This certificate is signed with the private key of a trusted certificate authority.
您的网络浏览器安装了所有主要证书颁发机构的公钥.它使用此公钥来验证 Web 服务器的证书确实是由受信任的证书颁发机构签署的.
Your web browser comes installed with the public keys of all of the major certificate authorities. It uses this public key to verify that the web server's certificate was indeed signed by the trusted certificate authority.
证书包含网络服务器的域名和/或IP地址.您的 Web 浏览器向证书颁发机构确认证书中列出的地址是它具有开放连接的地址.
The certificate contains the domain name and/or ip address of the web server. Your web browser confirms with the certificate authority that the address listed in the certificate is the one to which it has an open connection.
您的网络浏览器会生成一个共享对称密钥,该密钥将用于加密此连接上的 HTTP 流量;这比对所有内容使用公钥/私钥加密更有效.您的浏览器使用 Web 服务器的公钥加密对称密钥,然后将其发回,从而确保只有 Web 服务器可以解密它,因为只有 Web 服务器拥有其私钥.
Your web browser generates a shared symmetric key which will be used to encrypt the HTTP traffic on this connection; this is much more efficient than using public/private key encryption for everything. Your browser encrypts the symmetric key with the public key of the web server then sends it back, thus ensuring that only the web server can decrypt it, since only the web server has its private key.
请注意,证书颁发机构 (CA) 对于防止中间人攻击至关重要.但是,即使是未签名的证书也会阻止某人被动侦听您的加密流量,因为他们无法访问您的共享对称密钥.
Note that the certificate authority (CA) is essential to preventing man-in-the-middle attacks. However, even an unsigned certificate will prevent someone from passively listening in on your encrypted traffic, since they have no way to gain access to your shared symmetric key.
这篇关于如何验证 ssl 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
