如何SSL证书进行验证? [英] How are ssl certificates verified?
问题描述
什么是一系列需要安全验证的SSL证书的步骤?我(非常有限)的理解是,当你访问一个HTTPS站点,服务器会发送一个证书给客户端(浏览器)和浏览器获得这个证书的证书颁发者的信息,然后使用该联系issuerer,并以某种方式比较证书的有效性。
What is the series of steps needed to securely verify a ssl certificate? My (very limited) understanding is that when you visit an https site, the server sends a certificate to the client (the browser) and the browser gets the certificate's issuer information from that certificate, then uses that to contact the issuerer, and somehow compares certificates for validity.
- 究竟是怎么完成?
- 怎么样的过程使得它不受人在这方面的中间人攻击?
- 什么prevents一个素不相识的人从建立自己的认证服务的人在这方面的中间人攻击来使用,所以一切看起来安全吗?
推荐答案
下面是一个很简单的解释:
Here is a very simplified explanation:
-
您的Web浏览器下载Web服务器证书,它包含了web服务器的公钥。此证书与受信任的证书颁发机构的私钥签名。
Your web browser downloads the web server's certificate, which contains the public key of the web server. This certificate is signed with the private key of a trusted certificate authority.
您的Web浏览器与所有主要的证书颁发机构的公钥进行安装。它使用该公钥来验证Web服务器证书是由受信任的证书颁发机构确实签署。
Your web browser comes installed with the public keys of all of the major certificate authorities. It uses this public key to verify that the web server's certificate was indeed signed by the trusted certificate authority.
该证书包含域名和/或Web服务器的IP地址。 Web浏览器确认证书中列出的地址是一个,它有一个开放的连接。
The certificate contains the domain name and/or ip address of the web server. Your web browser confirms that the address listed in the certificate is the one to which it has an open connection.
您的网页浏览器生成一个共享的对称密钥将被用于该连接上的HTTP流量进行加密;这是比使用公/私钥加密的一切更加高效。浏览器进行加密与Web服务器的公共密钥的对称密钥然后把它发回,从而确保只有web服务器可以将其解密,因为只有在网络服务器具有其私钥
Your web browser generates a shared symmetric key which will be used to encrypt the HTTP traffic on this connection; this is much more efficient than using public/private key encryption for everything. Your browser encrypts the symmetric key with the public key of the web server then sends it back, thus ensuring that only the web server can decrypt it, since only the web server has its private key.
请注意,证书颁发机构(CA)是必不可少的preventing人在这方面的中间人攻击。然而,即使未签名的证书将$从被动地在你的加密流量听P中$ pvent人,因为他们没有办法获得对您的共享对称密钥访问。
Note that the certificate authority (CA) is essential to preventing man-in-the-middle attacks. However, even an unsigned certificate will prevent someone from passively listening in on your encrypted traffic, since they have no way to gain access to your shared symmetric key.
这篇关于如何SSL证书进行验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
