保护检查SSL证书的连接安全吗?
[英]Securing a connection checking SSL Certificate?
问题描述
I'm doing an internships. 
我正在实习。 Here they give me a code of an Android application that have been revisione by an agency for the code security and told me to change some points present in a document. 在这里,他们给了我一个Android应用程序的代码,该代码已经由代理机构进行了代码安全性修订,并告诉我更改文档中存在的一些要点。 Now they fear for the information leakage because the application doesn't check for the SSL certificates when connecting to the bank server, risking a "Man In The Middle" attack. 现在他们担心信息泄漏,因为该应用程序在连接到银行服务器时不会检查SSL证书,从而冒着“中间人”攻击的风险。
Is there any class that i can use to check expirency date of the cert. 有什么我可以用来检查证书过期日期的类。 or if it is trusted? 还是值得信赖?
An example of a http connection in the app: 应用程序中的http连接示例:
trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
SSLSocketFactory sf = new CustomSSLSocketFactory(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
HttpParams bhttpparams = new BasicHttpParams();
HttpProtocolParams.setVersion(bhttpparams, HttpVersion.HTTP_1_1);
HttpProtocolParams.setContentCharset(bhttpparams, "utf-8");
bhttpparams.setBooleanParameter("http.protocol.expect-continue", false);
HttpConnectionParams.setConnectionTimeout(bhttpparams, 20000);
HttpConnectionParams.setSoTimeout(bhttpparams, 200000);
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
registry.register(new Scheme("https", sf, 443));
ClientConnectionManager ccm = new ThreadSafeClientConnManager(bhttpparams, registry);
client = new DefaultHttpClient(ccm, bhttpparams);
client.getCredentialsProvider().setCredentials(new AuthScope(null, -1), new UsernamePasswordCredentials("", ""));
HttpResponse response = client.execute(urlws);
in = new BufferedReader(new InputStreamReader(response.getEntity().getContent(), "UTF-8"), 8);
1 个解决方案
解决方案1
1 已采纳 2015-02-04 09:22:04
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
The vulnerability is here. 漏洞在这里。 Remove it. 去掉它。
But I would question both the competence and the sanity of anyone who gave this task to an uninformed intern without a proper briefing, and you can tell them I said so. 但是我会质疑在没有适当通报的情况下将这个任务交给不知情的实习生的任何人的能力和理智,您可以告诉他们我是这样说的。 I would also be asking some severe questions about how this line of code ever got there in the first peace, and about the inadequacy of the testing that allowed it to remain. 我还会问一些严峻的问题,关于这行代码在最初的和平时期是如何到达那里的,以及测试的不足之处使其无法保留。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.