堆栈内存溢出
  简体   繁体   English

无需使用 SSL 证书即可从 PhoneGap 安全连接到服务器

[英]Secure connection to server from PhoneGap without buing SSL certificate

 原文  2014-04-02 20:53:23       security/ cordova/ ssl/ ssl-certificate

问题描述

I want to make a secure connection for obtaining data from a data (requiring a login) in a PhoneGap application.我想建立一个安全连接,以便从 PhoneGap 应用程序中的数据(需要登录)获取数据。 Is there some way to do this without buying an ssl certificate?有没有办法在不购买 ssl 证书的情况下做到这一点?

Could I use a self signed certificate and add the certificate (or its fingerprint) to the PhoneGap application, so that it can always check that the certificate is correct and no man in the middle attack takes place?我是否可以使用自签名证书并将证书(或其指纹)添加到 PhoneGap 应用程序,以便它始终可以检查证书是否正确并且不会发生中间人攻击?

1 个解决方案

解决方案1
 2 已采纳  2014-04-02 22:34:48

Is there some way to do this without buying an ssl certificate?有没有办法在不购买 ssl 证书的情况下做到这一点?

Yes.是的。

akirilov gave you one answer. akirilov 给了你一个答案。

You other option is to use Startcom .您的另一种选择是使用Startcom They offer free Class 1 certificates.他们提供免费的 1 级证书。 Their Certificate Authority is installed on most desktop and mobile platforms.他们的证书颁发机构安装在大多数桌面和移动平台上。

The bad thing about using the CA Zoo is only one CA certified your certificate (whether its Startcom, Verisidn, etc).使用 CA Zoo 的坏处是只有一个 CA 认证了您的证书(无论是 Startcom、Verisidn 等)。 However, any CA from the zoo can claim to be the certificate authority.但是,动物园中的任何 CA 都可以声称是证书颁发机构。 So a bad guy who tricks a CA or compromises a CA will be able to obtain a certifcate for your server.因此,欺骗 CA 或危害 CA 的坏人将能够为您的服务器获取证书。 We've seen both happen in the past.我们已经看到这两种情况过去都发生过。

You can avoid the CA Zoo with certificate pinning.您可以通过证书锁定来避免 CA Zoo。 See OWASP's Certificate and Public Key Pinning .请参阅 OWASP 的证书和公钥固定

Could I use a self signed certificate and add the certificate (or its fingerprint) to the PhoneGap application, so that it can always check that the certificate is correct and no man in the middle attack takes place?我是否可以使用自签名证书并将证书(或其指纹)添加到 PhoneGap 应用程序,以便它始终可以检查证书是否正确并且不会发生中间人攻击?

Yes, that's fine too.是的,那也很好。 Your Phone Gap application will need to perform the certificate validation, and accept your self-signed cert.您的 Phone Gap 应用程序将需要执行证书验证,并接受您的自签名证书。

To do similar in .Net, Java, iOS, etc, you would pin your server's certificate since you know what it is in advance.要在 .Net、Java、iOS 等中执行类似操作,您需要固定服务器的证书,因为您事先知道它是什么。 I don't know how to do it in PhoneGap, though.不过,我不知道如何在 PhoneGap 中做到这一点。

For information on pinning in .Net, Java, iOS, etc, see OWASP's Certificate and Public Key Pinning .有关在 .Net、Java、iOS 等中固定的信息,请参阅 OWASP 的证书和公钥固定 There's sample code available for major platforms, including OpenSSL.有适用于主要平台(包括 OpenSSL)的示例代码。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 通过带有SSL和证书的Phonegap连接到Web服务器 - Connect to web server via Phonegap with SSL and Certificate 在Web应用程序中,SRP是SSL / TLS(服务器证书)的安全替代方案吗? - In web applications, is SRP a secure alternative for SSL/ TLS (server certificate) ? 如何验证LDAP + SSL连接的服务器SSL证书 - How to validate server SSL certificate for LDAP+SSL connection 服务器续订证书后,与WSDL服务的PHP安全连接断开 - PHP secure connection with WSDL service breaks after server renewed certificate 如何在Android客户端和Java服务器之间创建安全的SSL连接? - How to create a secure SSL connection between Android client and Java server? SSL连接的安全性如何? - How secure is SSL connection?? 有时在设备上进行安全身份验证,而无需连接到服务器 - Secure authentication on a device occasionally without connection to a server 没有SSL的安全认证 - Secure Authentication without SSL 没有证书的TLS安全吗? - TLS secure without certificate? 没有SSL的安全认证? - Secure authentication without SSL?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM