堆栈内存溢出
  简体   繁体   English

在硬件设备上保护websockets

[英]Secure websockets on hardware device

 原文  2015-05-22 06:09:51       javascript/ c#/ ssl/ websocket

问题描述

I have a hardware device that is communicating over websockets with the Browser. 我有一个通过websockets与浏览器进行通信的硬件设备。 The problem is that I want a secure connection, unfortunately browsers don't connect to self signed certificate. 问题是我想要一个安全的连接,不幸的是浏览器没有连接到自签名证书。 the problem is that every hardware device can have another IP, and certificates are limited on domains. 问题是每个硬件设备都可以拥有另一个IP,并且域上的证书是有限的。 I cannot buy a certificate for each Hardware.. So what can I do? 我不能为每个硬件购买证书..那么我该怎么办?

1 个解决方案

解决方案1
 2 已采纳  2015-05-22 09:07:17

The problem is that I want a secure connection, unfortunately browsers don't connect to self signed certificate. 问题是我想要一个安全的连接,不幸的是浏览器没有连接到自签名证书。

Certificates are used to securely identify the peer. 证书用于安全地识别对等方。 Proper identification is necessary to make sure no man-in-the-middle attacks are possible. 必须正确识别以确保不会发生中间人攻击。 Thus it makes no sense to share the same certificate within 100's of different machines and you would have problems to keep the same private key secure anyway. 因此,在100个不同的机器中共享相同的证书是没有意义的,并且无论如何您都会遇到保持相同私钥安全的问题。

The alternative are self-signed certificates. 替代方案是自签名证书。 But browsers don't connect without warning in this case, because if they would man-in-the-middle attacks would be trivial. 但是在这种情况下,浏览器不会在没有警告的情况下进行连接,因为如果他们中间人攻击是微不足道的。 This means that the user must explicitly acknowledge this certificate as trusted and you have to educate the user how this must be done with the various browsers. 这意味着用户必须明确地将此证书确认为受信任,并且您必须教育用户如何使用各种浏览器完成此操作。

If browsers and devices are all under one control (like within a company-wide roll out) you might instead use your own PKI structure where all certificates are issued by your own CA and this CA is trusted by all your browsers. 如果浏览器和设备都在一个控件下(例如在公司范围内推出),您可以使用自己的PKI结构,其中所有证书都由您自己的CA颁发,并且所有浏览器都信任此CA.

the problem is that every hardware device can have another IP, and certificates are limited on domains. 问题是每个硬件设备都可以拥有另一个IP,并且域上的证书是有限的。

No, certificates can be generated to identify IP addresses too. 不,也可以生成证书来识别IP地址。 You will usually not get these certificates by a public CA, but a private CA can issue such certificates and self-signed certificates work too. 您通常不会通过公共CA获取这些证书,但私有CA可以颁发此类证书,并且自签名证书也可以。 Of course, using IP address instead of a name makes only sense if the IP will be constant for a very long time. 当然,如果IP在很长一段时间内保持不变,那么使用IP地址而不是名称才有意义。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 websockets安全与否? - are websockets secure or not? 流星,模数和安全的websockets - Meteor, Modulus and secure websockets 在Apple设备上运行的Websockets网络性能不佳 - Poor network performance with Websockets running on apple device 通过带有客户端证书身份验证的安全http服务器的Websocket - Websockets via secure http server with client certificate authentication 如何在Photon实时Javascript SDK中使用安全的Websocket? - How do you use secure websockets with Photon realtime Javascript SDK? 将jQuery Signature Pad与硬件捕获设备一起使用 - Use jQuery Signature Pad with hardware capture device 通过javascript获取移动设备硬件信息 - Getting mobile device hardware information via javascript 在Javascript中测试iPhone 3GS的设备定位事件的硬件支持 - Testing hardware support in Javascript for device orientation events of the iPhone 3GS 是否可以通过js检测android设备上的硬件后退按钮点击事件? - Is it possible to detect hardware back button click event on android device by js? 使用回调脚本(3D安全条)在移动设备上打开页面 - Open page on mobile device with callback script (3D secure stripe)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM