堆栈内存溢出
  简体   繁体   English

受信任的CA-工作如何?

[英]Trusted CA's - how does is work?

 原文  2014-04-09 11:51:41       ssl/ certificate/ pki/ ca/ verisign

问题描述

can somebody please explain about the trust model in the know CA's ?? 有人可以在已知CA的情况下解释信任模型吗? here's what i mean: 这是我的意思:

microsoft.com for example can use Verisign Certificate for their domain - what are the chances for an attacker to ask for a M1crosoft.com domain ?? 例如,microsoft.com可以将Verisign证书用于其域-攻击者有什么机会要求M1crosoft.com域? very simillar, but still can use attackers to run a "secured phishing website" . 非常相似,但仍然可以使用攻击者来运行“安全的钓鱼网站”。

what kind of checks does the CA's do before they giving certificates to people ? CA在向人们颁发证书之前会进行什么样的检查? is there a standard or something ?? 有什么标准吗? do i need to assume and not trust secure websites in reality ?? 我是否需要假设并且不信任现实中的安全网站?

thank you 谢谢

2 个解决方案

解决方案1
 0  2014-04-09 12:11:24

Certificate is issued for microsoft.com domain. 为microsoft.com域颁发了证书。 And if attacker use this certificate on M1crosoft.com, your web browser or other application show warning this certificate is not trustworthy. 并且,如果攻击者在M1crosoft.com上使用此证书,则您的Web浏览器或其他应用程序将显示警告,该证书不可信。 Some CA verifies who gives certificate. 一些CA验证谁颁发证书。 Root certificates of some of these CA is in your web browser. 其中一些CA的根证书位于您的Web浏览器中。

解决方案2
 0 已采纳  2014-04-09 12:55:16

Actually you are right I'm afraid, if any CA installed in your browser issues the m1crosoft.com certificates, then there may be some phishing attack. 恐怕实际上您是对的,如果在您的浏览器中安装的任何CA都颁发了m1crosoft.com证书,则可能存在网络钓鱼攻击。

However since CA is where the trust come from, so there's no way to bypass this. 但是,由于CA是信任的来源,因此无法绕开它。 Fortunately there's some audit mechanism when CA issues certificate. 幸运的是,CA颁发证书时有一些审核机制。 Thought I'm not sure what the audit mechanism is. 以为我不确定审核机制是什么。

You can refer to the question in here : 您可以在这里参考问题:

But a CA can make me trust any server they want! 但是CA可以使我信任他们想要的任何服务器!

Yes, and that is where the trust comes in. You have to trust the CA not to make certificates as they please. 是的,这就是信任的来源。您必须信任CA不要随意制作证书。 When organisations like Microsoft, Apple and Mozilla trust a CA though, the CA must have audits; 但是,当像Microsoft,Apple和Mozilla这样的组织信任CA时,该CA必须进行审核。 another organisation checks on them periodically to make sure everything is still running according to the rules. 另一个组织会定期检查它们,以确保一切仍按照规则运行。

Issuing a certificate is done if, and only if, the registrant can prove they own the domain that the certificate is issued for. 仅在注册人可以证明他们拥有为其颁发证书的域时,才可以颁发证书。

I'm not sure is it what you want to know. 我不确定这是您想知道的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 证书撤销如何与中间CA一起使用? - How does certificate revocation work with intermediate CA's? 如何将受信任的根 CA 添加到 Docker alpine - How to add trusted root CA to Docker alpine 如何在 Android 设备上安装可信 CA 证书? - How to install trusted CA certificate on Android device? android中可信CA的列表? - List of trusted CA in android? 如何在我的设备上安装受信任的CA证书? - How trusted CA certificate can be installed on my device? OpenSSL::SSL::SSLError: Ruby 客户端的服务器 ca 证书在使用 curl 时不起作用 - OpenSSL::SSL::SSLError: Ruby client's server ca certificate does not work while it worked with curl iOS:我的iPhone应用程序可以访问iPhone设备/设备的信任存储区的受信任CA证书吗? - iOS: Can my iPhone app access trusted CA certificates of the iPhone device / device's trust store? 当您的CA不被系统信任时,如何将Android应用程序连接到SSL服务器? - How to connect Android Application to SSL server when you have a CA that isn't trusted by the system? node.js-如何使用tls.connect将CA添加到受信任的CA列表中 - node.js - how to add CA to the list of trusted CAs with tls.connect Https 不适用于 Ingress,CA Root 不受信任 - Https not working for Ingress, CA Root not trusted
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM