[英]Securely updating Certificate Authority Certificates
Certificate Authority certificates are generally bundled in with the application that they're used with, but how can you automatically update them securely? 证书颁发机构证书通常与它们一起使用的应用程序捆绑在一起,但是如何安全地自动更新它们?
In PHP, it is recommended to use https://curl.haxx.se/ca/cacert.pem along with cURL, which is safe if you've pre-bundled it, but that URL does not support HTTPS, so it is perfectly possible for a middle-man attack to spoof different certs. 在PHP中,建议使用https://curl.haxx.se/ca/cacert.pem和cURL,如果你已预先捆绑它,这是安全的,但该URL不支持HTTPS,所以它是中间人攻击完全有可能欺骗不同的证书。
This is related to the problem of secure code delivery , and consequently I suspect the solution to that would also solve this. 这与安全代码传递的问题有关 ,因此我怀疑解决方案也可以解决这个问题。
Bug the folks at Mozilla to GPG sign certdata.txt , verify the signatures on your end, and then use the same Perl script that the Curl team uses to build your own .pem file. Mozilla到GPG的人签署certdata.txt ,验证你的签名,然后使用Curl团队用来构建你自己的.pem文件的相同Perl脚本。 Cut out the middleman.
切出中间人。
Note : If the folks at curl.haxx.se
aren't able to set up HTTPS, I don't know how much luck the community would have in convincing them to set up this authenticity process. 注意 :如果
curl.haxx.se
人员无法设置HTTPS,我不知道社区在说服他们设置此真实性过程方面会有多少运气。
This would prevent someone from interfering with your communications with curl.haxx.se
, while also preventing someone who hacked curl.haxx.se
from serving a poisoned certificate list to end users. 这样可以防止有人干扰您与
curl.haxx.se
的通信,同时还可以阻止攻击curl.haxx.se
人向最终用户提供中毒证书列表。 By advertising the certificates and timestamps in a decentralized ledger, and providing some mechanism for client-side verification, targeted attacks cease to be feasible. 通过在分散的分类帐中公布证书和时间戳,并为客户端验证提供一些机制,有针对性的攻击不再可行。
This would not stop the folks at curl.haxx.se
from turning evil. 这不会阻止
curl.haxx.se
的人们curl.haxx.se
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.