C#:在发送HTTP GET / POST之前验证服务器证书
[英]C# : Authenticate server certificate before sending HTTP GET / POST
问题描述
I'm building a .net app, and I'd like to make the web calls secure enough that its not easy to monitor the the traffic thru something like fiddler. 
我正在构建一个.net应用程序,我想使网络通话足够安全,以使其不容易监视诸如提琴手之类的流量。 I'd like to be able to know that the certificate from the server isn't as expected and then never send out a full request with the request data. 我想知道服务器发出的证书与预期不符,然后再从不发送包含请求数据的完整请求。
Twitter's iOS app does this. Twitter的iOS应用程序执行此操作。 Someone I think would have to somehow make a copy of the twitter's https certificate and make that fiddler's certificate. 我认为有人必须以某种方式复制twitter的https证书并制作该提琴手的证书。 I havn't done it myself, but i think that's how I understand it. 我自己还没有做过,但是我认为这就是我的理解。 What you see in fiddler is that the tunnel has been created, but no request was actually set out. 在小提琴手中看到的是隧道已创建,但实际上没有提出任何请求。 Its same scenario when you don't have the fiddler's HTTPS certificate installed on the device and you open a browser to google.com / a tunnel is created and then the browser knows 'uhoh untrusted server' and displays a message to the user. 当您没有在设备上安装提琴手的HTTPS证书并打开浏览器访问google.com/创建了隧道,然后浏览器知道“ uhoh不受信任的服务器”并向用户显示消息时,情况相同。 I'd like to just make it more secure and only allow 1 certificate / my server's certificate. 我只想使其更加安全,并且只允许1个证书/我的服务器的证书。
Make sense? 说得通? I think i figured out how to do it with making a separate full dummy request / but thats not ideal. 我想我想出了如何通过发出单独的完整虚拟请求/来做到这一点,但这并不理想。
1 个解决方案
解决方案1
3 已采纳 2013-10-13 04:12:24
What you're asking is "How do I implement certificate pinning in my client application?" 您要问的是“如何在客户端应用程序中实现证书固定 ?”
The way to do that would be to attach a validation callback on the Service Point responsible for making your HTTPS requests. 这样做的方法是在负责发出HTTPS请求的服务点上附加一个验证回调 。 Your validation callback would override the default behavior ("Accept any certificate trusted by Windows") and would instead validate that the received certificate is EXACTLY the one you expect. 您的验证回调将覆盖默认行为(“接受Windows信任的任何证书”),而是验证收到的证书与您期望的证书完全相同。
Now, before you go that route, keep in mind a few things: 现在,在走那条路线之前,请记住以下几点:
- An attacker with Admin or Debug privileges can easily change your code in memory to remove your validation. 具有Admin或Debug特权的攻击者可以轻松更改内存中的代码以删除验证。 This is called the "Trusted client" problem. 这称为“受信任的客户端”问题。
- Your validation will break if the code is ever run in a corporate environment where an security appliance is doing HTTPS inspection (eg BlueCoat, ISA TMG, etc) 如果代码曾经在安全设备进行HTTPS检查的公司环境(例如BlueCoat,ISA TMG等)中运行,则验证将中断。
- Your validation will prevent "certificate agility" -- if the server cert needs to change, you will need to update the application. 您的验证将防止“证书敏捷性”-如果需要更改服务器证书,则需要更新应用程序。 If you ever want to use a load-balanced configuration with multiple certificates, or a public HTTPS CDN, you would need to update your validation logic. 如果要使用带有多个证书的负载平衡配置或公共HTTPS CDN,则需要更新验证逻辑。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.