禁用Java程序的SSL认证的安全风险 [英] Security risks in disabling SSL certification for Java program

问题描述

我们的团队抓取网站以使我们的信息保持最新。我在登录HTTPS页面时遇到了安全例外情况。问题是Java在接受来自页面的自签名证书时遇到了问题。

Our team crawls websites to keep our info up to date. I was running into security exceptions when crawling HTTPS pages. The issue was that Java had an issue accepting self signed certificates from pages.

而不是保留要接受的证书列表（将来很难维护） ，我正在使用neu242提供的工作来禁用SSL认证验证 。

Rather than keeping a list of certificates to accept (which could be difficult to maintain in the future), I'm using the work around provided by neu242 to disable SSL certification validation.

public static void disableCertificateValidation() 
{
    // Create a trust manager that does not validate certificate chains
      TrustManager[] trustAllCerts = new TrustManager[] { 
        new X509TrustManager() {
          public X509Certificate[] getAcceptedIssuers() { 
            return new X509Certificate[0]; 
          }


        @Override
        public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException
        {
            // TODO Auto-generated method stub

        }
        @Override
        public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException
        {
            // TODO Auto-generated method stub

        }
      }};

      // Ignore differences between given hostname and certificate hostname
      HostnameVerifier hv = new HostnameVerifier() {

        @Override
        public boolean verify(String arg0, SSLSession arg1)
        {
            // TODO Auto-generated method stub
            return true;
        }
      };

      // Install the all-trusting trust manager
      try {
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
        HttpsURLConnection.setDefaultHostnameVerifier(hv);
      } catch (Exception e) {}
}

当然，这个正在构成重大的安全风险。但是，如果我只在我的下载程序（下载图像和pdf文档的程序）中使用此代码，并且我没有使用该程序发送任何敏感信息，那么存在哪些安全风险？据我所知，此信任管理器将仅为正在运行的JVM设置（运行该程序的服务器不会在OS级别禁用证书验证）。此外，如果我的图像和文档请求被截获，我的代码将尝试分别将响应形成图像或pdf，并且不会启动任何恶意软件。是否存在我在某处丢失的安全风险？

Of course, this is posing a significant security risk. However, if I'm only using this code with my downloading program (the program which downloads images and pdf docs), and I'm not using the program to send any sensitive information, what security risks exist? From what I understand, this trust manager will be set only for the running JVM (the server running the program won't disable cert validation at the OS level). Further, if my requests for the images and docs were intercepted, my code will try to form the response into an image or pdf, respectively, and won't launch any malicious software. Is there a security risk I'm missing somewhere?

推荐答案

您面临的风险是恶意服务器可以自行放置你和原始服务器之间（这是一个中间人攻击）。换句话说，您会认为您从真实服务器接收文档，但实际上您将从盗版服务器接收文档。所以这取决于文件的类型以及你用它们做什么......

The risk that you are facing is that a malicious server could place itself between you and the origin server (it's a man-in-the-middle attack). In other words, you would THINK that you receive documents from the real server, but in fact you would receive the documents from the pirate server. So it depends on the types of documents and what you do with them...

这篇关于禁用Java程序的SSL认证的安全风险的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！