Https vs ssl pinning
[英]Https vs ssl pinning
问题描述
I would like to know how does a regular SSL protocol differ from SSL pining. 
我想知道常规SSL协议与SSL pining的区别。 By setting up https, we are able to encrypt the request using SSL. 通过设置https,我们可以使用SSL加密请求。 Man in middle attack will not be able to see the raw payload. 中间攻击的人将无法看到原始有效载荷。 I also know SSL pinning is another way to prevent man in middle attack. 我也知道SSL钉扎是另一种防止中间人攻击的方法。 But my question is if a proxy will always see the encrypted data only under https protocol, why do we still need to bundle certificate at client side and have SSL pinning? 但我的问题是,如果代理将始终只在https协议下看到加密数据,为什么我们仍然需要在客户端捆绑证书并具有SSL固定? What advantage can SSL pining give us ? SSL pining给我们带来了什么好处?
1 个解决方案
解决方案1
3 已采纳 2016-01-22 19:17:28
Certificate pinning means the client has the server's certificate "built-in" and doesn't use your computer's trusted store. 证书锁定意味着客户端具有“内置”服务器证书,并且不使用计算机的可信存储。 This means that even if your IT dept installs their own root cert, it won't be used. 这意味着即使您的IT部门安装了自己的根证书,也不会使用它。
A particularly clever IT department could install their root cert on your computer, use a proxy like Charles to create fake site certs on the fly, and re-write your downloaded program on the fly, replacing the pinned cert, but most aren't sophisticated enough to do that final step. 一个特别聪明的IT部门可以在您的计算机上安装他们的根证书,使用像查尔斯这样的代理来动态创建假的站点证书,并动态地重新编写下载的程序,取代固定的证书,但大多数都不复杂足以做到最后一步。
And you could probably just download the software from home too, in which case the pinned cert will be okay, and IT would never see the content on the transmissions. 你也许可以从家里下载软件,在这种情况下,固定的证书就可以了,IT部门永远不会看到传输内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.