使用https时防止中间人攻击 [英] Preventing man in the middle attack while using https

问题描述

我正在写一个类似于omegle的小应用程序。我有一个用Java编写的http服务器和一个html文档的客户端。主要的通信方式是http请求（长轮询）。

I am writing a little app similar to omegle. I have a http server written in Java and a client which is a html document. The main way of communication is by http requests (long polling).

我通过使用https协议实现了某种安全性，我为每个客户端都安装了一个securityid连接到服务器。当客户端连接时，服务器给它一个securityid，客户端在需要请求时必须始终发回。

I've implemented some sort of security by using the https protocol and I have a securityid for every client that connects to the server. When the client connects, the server gives it a securityid which the client must always send back when it wants a request.

我害怕这里的中间人攻击，你有什么建议我如何保护应用程序免受这种攻击。

I am afraid of the man in the middle attack here, do you have any suggestions how I could protect the app from such an attack.

请注意，这个应用程序是出于理论目的而构建的，它不会被用于实际原因所以你的解决方案不一定是实用的。

Note that this app is build for theoretical purposes, it won't be ever used for practical reasons so your solutions don't have to be necessarily practical.

推荐答案

HTTPS不仅进行加密，还进行身份验证服务器。当客户端连接时，服务器会显示其域具有有效且可信任的证书。这个证书不能简单地被中间人欺骗或重播。

HTTPS does not only do encryption, but also authentication of the server. When a client connects, the server shows it has a valid and trustable certificate for its domain. This certificate can not simply be spoofed or replayed by a man-in-the-middle.

这篇关于使用https时防止中间人攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！