签名/验证HTTPS响应 [英] Signing / Verifying HTTPS Responses

问题描述

是否可以验证源自网站的响应？

Is it possible to verify that a response originated from a website?

例如，伪造网站的屏幕截图非常简单 - 我可以看看像一个政客一样可怕的东西。

For example, it's trivially easy to forge a screenshot of a website - I can make it look like a politician Tweeted something awful.

Twitter的网站受到HTTPS的保护 - 这意味着响应被加密。他们还签了？

Twitter's website is protected with HTTPS - that means that responses are encrypted. Are they also signed?

是否可以从服务器获取签名的HTTPS响应，以便我可以证明/验证它是否提供了该数据？

Is it possible to get a signed HTTPS response out of a server so that I can prove / verify that it served that data?

例如，我可以 wget 或 curl https://twitter.com/BarackObama/status/645299508897714176 ，并回覆一下我可以用来证明Twitter提供此内容？

For example, can I wget or curl https://twitter.com/BarackObama/status/645299508897714176 and get back back a response which I can use to prove that Twitter served this content?

（我看不到与 wget -S 或<$ c $相关的任何内容c> curl -iv --raw ）

推荐答案

https响应强>签。除非你要求他们不要，curl和wget要验证证书链。该链必须结束，但您的计算机信任的权限的证书。该权限证明证书是有效的，并且wget / curl已经验证证书对应于域名。因此，只有该证书的私钥的所有者可以对数据进行加密/解密。

An https response is signed. Unless you ask them not to, curl and wget do verify the certificate chain. That chain must end but a certificate of an authority that your computer trust. That authority certify that the certificate is valid, and wget/curl has verify that the certificate correspond to the domain name. Thus, only the owner of the private key of that certificate can encrypt/decrypt the data.

使用curl -v可以看到有关tls身份验证的更多信息。

With "curl -v " you can see more informations about the tls authentication.

这篇关于签名/验证HTTPS响应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！