ssl 在两种方式上都安全吗? [英] is ssl secure on both ways?

问题描述

我知道服务器发送的证书无法伪造(仍然存在 MD5 冲突但代价高昂)但是伪造客户端呢..在中间人攻击中:我们不能告诉服务器我们是合法客户端并从该服务器获取数据对其进行操作，然后使用合法客户端公钥再次对其进行加密吗?客户端如何确定数据确实来自服务器?

I know that certificates that are sent by the server cant be faked (still there is MD5 collisions but costy) but what about faking the client .. in man in the middle attack: cant we tell the server that we are the legitimate client and take data from that server manipulate it then encrypt it again with legitimate client public key ? how does the client be sure that the data came really from the server ?

理论上..我们可以在服务器发送给客户端的响应中注入任何数据吗?..

in theory .. can we inject any data into the response sent by the server to the client ?..

推荐答案

您如何验证客户端?SSL 客户端证书?或者一些应用级系统(cookies 等)?

How are you authenticating the client? SSL client certificates? Or some application level system (cookies etc)?

简而言之，SSL 的作用如下:

Here's what SSL does in a nutshell:

• 在双方之间协商一个 Diffie-Helmann 共享会话密钥
• 让服务器签署会话密钥并将结果发送给客户端.一旦客户端验证了这一点，客户端就知道没有中间人，服务器就是他们所说的那样.
• 如果启用了客户端证书，则让客户端签署会话密钥并将签名发送到服务器.服务器现在知道没有 MITM，而客户端就是他们所说的那样.
• 使用共享会话密钥在双向加密所有数据

通常，当您使用 SSL 时，您不会使用客户端证书.严格来说，服务器不知道连接是否是中间人.但是，如果服务器证书不好，大多数客户端将断开连接.服务器假定如果客户端推进连接，则没有 MITM.即使执行 MITM 的 Mallory 选择不传播与客户端的断开连接，他现在也没有新信息；他所做的只是自己连接到服务器.如果不拦截客户端的会话 cookie 或其他认证信息(只有客户端在验证连接安全后才发送)，MITM 是没有用的.

Typically when you use SSL you won't use client certificates. Strictly speaking, the server does not know if the connection is MITM'd. However, most clients will disconnect if the server certificate is bad. The server assumes that if the client pushes forward with the connection, there is no MITM. Even if Mallory, doing the MITM, chooses not to propagate the disconnect from the client, he has no new information now; all he's done is connected to the server himself. Without intercepting the client's session cookie or other authentication information (which is only sent by the client after verifying the connection is secure) the MITM is useless.

所以简而言之，只要一端或另一端在启动任何敏感信息的高级通信之前验证另一端的证书，SSL 在两个方向都是安全的.

So in short, as long as one end or the other verifies the certificate of the other end before initiating any high-level communication of sensitive information, SSL is secure in both directions.

这篇关于ssl 在两种方式上都安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！