如何避免这个Apple Siri https破解场景？ [英] How to avoid this Apple Siri https cracking scenario?

问题描述

在阅读有关破解Siri 的帖子后，我了解到来自的HTTPS流量iPhone到Siri Https服务器通过创建：<破解（解密）：

After reading the post about "cracking Siri", I understand that the HTTPS traffic from the iPhone to the Siri Https server were "cracked" (decrypted) by creating:

• 自定义DNS服务器


• 假的HTTPS服务器（假装是'guzzoni.apple.com'）


• 自定义SSL证书颁发机构

并且通过修改客户端（iPhone）DNS和SSL证书颁发机构设置，他们能够伪造完整的环境并解密流量。

and by modifying the client (iPhone) DNS and SSL Certification Authority settings, they were able to fake the complete "environment" and decrypt the traffic.

但Apple（或其他任何人）怎么能避免这种破解/破解？

But how could Apple (or anyone else) avoid this type of "crack"/hack?

推荐答案

阅读，似乎避免这种类型的黑客（我明白是着名的中间人攻击）的唯一方法是做一个正确的身份验证。
很好地解释了这里：

After some reading, it seems the only way to avoid this type of hack (which I understand is the famous Man in the Middle attack) is to do a correct authentication. Well explained here:

公钥算法可以保证邮件的保密性，但是
并不一定能保证安全通信，因为它们不是
验证通信方的身份。要建立
安全通信，重要的是要验证用于加密消息的公钥
实际上是否属于目标接收者。
否则，第三方可能会窃听
通信并拦截公钥请求，用自己的
公钥替换合法密钥（中间人攻击）。

Public-key algorithms can guarantee the secrecy of a message, but they do not necessarily guarantee secure communications because they do not verify the identities of the communicating parties. To establish secure communications, it is important to verify that the public key used to encrypt a message does in fact belong to the target recipient. Otherwise, a third party can potentially eavesdrop on the communication and intercept public key requests, substituting its own public key for a legitimate key (the man-in-the-middle attack).

为了避免这种攻击，有必要验证公钥的所有者
，这个过程称为身份验证。身份验证可以通过证书颁发机构（CA）完成，该证书颁发机构是第二个
方，受到两个通信方的信任。

In order to avoid such an attack, it is necessary to verify the owner of the public key, a process called authentication. Authentication can be accomplished through a certificate authority (CA), which is a third party that is trusted by both of the communicating parties.

CA颁发包含实体名称，
公钥和某些其他安全凭证的公钥证书。此类凭证
通常包括CA名称，CA签名和证书
生效日期（从日期，到日期）。

The CA issues public key certificates that contain an entity's name, public key, and certain other security credentials. Such credentials typically include the CA name, the CA signature, and the certificate effective dates (From Date, To Date).

所以我猜想避免这种黑客攻击的唯一方法就是让客户端（这里的iPhone）使用预先确定的CA.

So I would guess the only way to avoid such hack is to only let the client (here iPhone) use pre-determined CAs.

这篇关于如何避免这个Apple Siri https破解场景？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！