https的安全性如何? [英] How secure is https?
问题描述
我最近一直在研究HTTPS,以及它的安全性。
I have recently been looking into HTTPS, and just how secure it is.
我去了一个有效证书的https网站并输入了我的用户名和密码。使用 Fiddler ,我解密了点击提交按钮后出现的请求,并且在包含键值对的字符串中有纯文本的用户名和密码(这不是查询字符串,它是帖子价值)。
I went to an https site which had a valid certificate and entered my username and password. Using Fiddler, I decrypted the requests which appeared after clicking the submit button, and there was my username and password in plain text in a string containing key-value pairs (this wasn't the querystring, it was the post values).
任何人都可以告诉我为什么说HTTPS是安全的,因为我很容易使用外部应用程序获取用户名和密码?我的意思是它几乎是即时解密,当然黑客可以使用一个应用程序找出你正在做的请求并解密它们,不是吗?
Can anyone enlighten me as to why HTTPS is said to be secure when it is this easy for me to get the username and password using an external application? I mean it was pretty much instant decryption, and surely a hacker could use an application to find out what requests you're making and decrypt them, can't they?
推荐答案
HTTPS是一种相当安全的点对点通信方式,中间任何人都无法收听。
HTTPS is a fairly secure way of communicating point-to-point without anyone in the middle being able to listen in.
Fiddler可以解密流量的原因是它可以控制您的浏览器信任哪些证书。证书基本上是一个保证,您正在与之交谈的网站是它声称的人,并且由于Fiddler可以将自己的证书放入浏览器,它可以说服浏览器它是任何 site。
The reason Fiddler can decrypt the traffic is that it has control over which certificates your browser trusts. A certificate is basically a "guarantee" that the web site you're talking to is who it claims to be, and since Fiddler can put its own certificate into the browser, it can convince the browser that it is any site.
通常浏览器只有证书颁发机构的证书(如Verisign,Thawte,Geotrust),他们的工作就是验证每个网站实际上是谁说的他们是。只要您信任证书颁发机构(他们犯了错误)并且没有人在您的浏览器中添加假证书,您几乎可以相信没人在听。
Normally the browser only has certificates from certificate authorities (like Verisign, Thawte, Geotrust) who's job it is to validate that every site is actually who they say they are. As long as you trust the certificate authorities (they have made mistakes) and noone has added a fake certificate to your browser, you can pretty much trust that no one is listening in.
如果您正在寻找数学上安全的东西,那么HTTPS就不是了。为了便于设置通信,您仍然需要信任某人,而不是连接另一端的人。
If you're looking for something that is "mathematically secure", HTTPS isn't it. For communication to be easy to set up, you still have to trust someone else than the person other end of the connection.
这篇关于https的安全性如何?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
