签名/验证HTTPS响应 [英] Signing / Verifying HTTPS Responses
问题描述
是否可以验证源自网站的响应?
Is it possible to verify that a response originated from a website?
例如,伪造网站的屏幕截图非常简单 - 我可以看看像一个政客一样可怕的东西。
For example, it's trivially easy to forge a screenshot of a website - I can make it look like a politician Tweeted something awful.
Twitter的网站受到HTTPS的保护 - 这意味着响应被加密。他们还签了?
Twitter's website is protected with HTTPS - that means that responses are encrypted. Are they also signed?
是否可以从服务器获取签名的HTTPS响应,以便我可以证明/验证它是否提供了该数据?
Is it possible to get a signed HTTPS response out of a server so that I can prove / verify that it served that data?
例如,我可以 wget
或 curl
https://twitter.com/BarackObama/status/645299508897714176 ,并回覆一下我可以用来证明Twitter提供此内容?
For example, can I wget
or curl
https://twitter.com/BarackObama/status/645299508897714176 and get back back a response which I can use to prove that Twitter served this content?
(我看不到与 wget -S
或<$ c $相关的任何内容c> curl -iv --raw )
推荐答案
https响应强>签。除非你要求他们不要,curl和wget要验证证书链。该链必须结束,但您的计算机信任的权限的证书。该权限证明证书是有效的,并且wget / curl已经验证证书对应于域名。因此,只有该证书的私钥的所有者可以对数据进行加密/解密。
An https response is signed. Unless you ask them not to, curl and wget do verify the certificate chain. That chain must end but a certificate of an authority that your computer trust. That authority certify that the certificate is valid, and wget/curl has verify that the certificate correspond to the domain name. Thus, only the owner of the private key of that certificate can encrypt/decrypt the data.
使用curl -v可以看到有关tls身份验证的更多信息。
With "curl -v " you can see more informations about the tls authentication.
这篇关于签名/验证HTTPS响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!