浏览器为什么显示不信任的SSL证书丑陋的错误? [英] Why do browsers show ugly errors for untrusted SSL certificates?
问题描述
当面对不可信证书,每一个浏览器我知道显示一个高音错误是这样的:
为什么是什么?
这强烈反对的Web开发人员使用一个真棒技术,如SSL了担心用户会发现该网站极其黑幕。 Ilegitimate(即:网络钓鱼)的网站上做精HTTP,所以不可能是一个问题。
为什么他们使它看起来像什么大不了的?是不是有SSL即便不可信比没有好它呢?
它看起来像我被人误解。我走的事实,即便不可信的HTTP网站不能比的HTTPS站点更安全,问题。 HTTP没有做加密或身份。钓鱼者可以使他们在HTTP网站上没有任何警告显示。以诚信,我至少是加密的流量。怎么会是这样一件坏事?
SSL允许的相互验证提供客户端和服务器之间的安全通信,使用的数字签名作为诚信,和加密的隐私。
(阿帕奇SSL文档)
是的,我没有看到有关的第三方认证机构,所有的浏览器应该承认任何合法。当然,这只是这个世界的方式,所以如果你不希望别人看到一个可怕的页面,你必须让别人通过浏览器将识别签名的证书。
或
如果你仅仅使用SSL对一个小的个人或内部的东西,你可以让人们在他们的浏览器安装根证书作为受信任的证书。这会工作得相当好一个局域网,其中网络管理员可以在整个网络中安装。
这可能听起来别扭建议发送您的证书的人来安装,但如果你仔细想想,你怎么相信更多:与您的浏览器来是因为这一权力一手交钱,或者证书发送给您的证书亲自服务器管理/客户经理/内在联系?
只是为了妈和笑声我想我会包括显示文本的帮助我理解的OP截图链接...
当您连接到一个安全的网站时,托管该网站$ P $服务器利用所谓的证书,以验证其身份psents浏览器。此证书包含身份信息,如网站,这是由第三方您计算机信任验证的地址。通过检查证书中的地址与网站的地址是否一致,可以验证您安全地与想要的网站进行通讯,而不是第三方(例如网络上的攻击者)。
有关域名不匹配(例如试图去一个子域在非通配符证书),这一段如下:
在此情况下,证书中所列的地址不匹配的网站浏览器试图去到的地址。一个可能的原因是:通信被攻击者是谁presenting对于不同的网站,这将导致不匹配的证书截获。另一个可能的原因是服务器设置为返回相同的证书,多个网站,其中包括您尝试访问之一,尽管该证书并非适用于所有这些网站。铬可以肯定地说,你达到了,但无法确认这是同一站点中的 foo.admin.example.com 的你打算到达。如果继续,铬不会进一步检查任何名称的不匹配。在一般情况下,最好不要绕开这一点。
如果该证书不被信任的机构签署的,这些段落遵循而不是:
在此情况下,证书没有被第三方您计算机信任验证。任何人都可以创建证书,声称自己是所选择的任意网站,这就是为什么它必须由受信任的第三方进行验证。没有这一验证,证书中的身份信息是没有意义的。因此,无法验证您正在通信的 admin.example.com 的,而不是谁产生自己的证书自称的 admin.example.com 的攻击者。您不应绕开这一点。
但是,如果您在生成自己的证书的组织工作,而你试图连接到使用此类凭证的机构内部网站,您可以安全地解决此问题。您可以导入您的组织的根证书作为根证书,然后由组织颁发或验证的证书将得到信任,你不会看到你尝试连接到内部网站此错误下一次。在添加新的根证书到您的计算机联系以获得帮助您的组织的支持人员。
这些最后一段做一个pretty很好的回答这个问题,我认为。 ;)
When faced by an untrusted certificate, every single browser I know displays a blaring error like this:
Why is that?
This strongly discourages web developers to use an awesome technology like SSL out of fears that users will find the website extremely shady. Ilegitimate (ie: phishing) sites do fine on HTTP, so that can't be a concern.
Why do they make it look like such a big deal? Isn't having SSL even if untrusted better than not having it at all?
It looks like I am being misunderstood. I am taking issue with the fact that HTTP sites cannot be more secure than an HTTPS site, even if untrusted. HTTP doesn't do encryption or identification. Phishers can make their sites on HTTP and no warnings are shown. In good faith, I am at the very least encrypting traffic. How can that be a bad thing?
解决方案SSL provides for secure communication between client and server by allowing mutual authentication, the use of digital signatures for integrity, and encryption for privacy.
Yep, I don't see anything about third party certificate authorities that all browsers should recognize as "legit." Of course, that's just the way the world is, so if you don't want people to see a scary page, you've got to get a cert signed by someone the browsers will recognize.
or
If you're just using SSL for a small group of individuals or for in-house stuff, you can have people install your root cert in their browser as a trusted cert. This would work fairly well on a lan, where a network admin could install it across the entire network.
It may sound awkward to suggest sending your cert to people to install, but if you think about it, what do you trust more: a cert that came with your browser because that authority paid their dues, or a cert sent to you personally by your server admin / account manager / inside contact?
Just for shits and giggles I thought I'd include the text displayed by the "Help me understand" link in the screenshot in the OP...
When you connect to a secure website, the server hosting that site presents your browser with something called a "certificate" to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party that your computer trusts. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website you intended, and not a third party (such as an attacker on your network).
For a domain mismatch (for example trying to go to a subdomain on a non-wildcard cert), this paragraph follows:
In this case, the address listed in the certificate does not match the address of the website your browser tried to go to. One possible reason for this is that your communications are being intercepted by an attacker who is presenting a certificate for a different website, which would cause a mismatch. Another possible reason is that the server is set up to return the same certificate for multiple websites, including the one you are attempting to visit, even though that certificate is not valid for all of those websites. Chromium can say for sure that you reached , but cannot verify that that is the same site as foo.admin.example.com which you intended to reach. If you proceed, Chromium will not check for any further name mismatches. In general, it is best not to proceed past this point.
If the cert isn't signed by a trusted authority, these paragraphs follow instead:
In this case, the certificate has not been verified by a third party that your computer trusts. Anyone can create a certificate claiming to be whatever website they choose, which is why it must be verified by a trusted third party. Without that verification, the identity information in the certificate is meaningless. It is therefore not possible to verify that you are communicating with admin.example.com instead of an attacker who generated his own certificate claiming to be admin.example.com. You should not proceed past this point.
If, however, you work in an organization that generates its own certificates, and you are trying to connect to an internal website of that organization using such a certificate, you may be able to solve this problem securely. You can import your organization's root certificate as a "root certificate", and then certificates issued or verified by your organization will be trusted and you will not see this error next time you try to connect to an internal website. Contact your organization's help staff for assistance in adding a new root certificate to your computer.
Those last paragraphs make a pretty good answer to this question I think. ;)
这篇关于浏览器为什么显示不信任的SSL证书丑陋的错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
