简体繁体 English

SSL 或代码签名证书

[英]SSL or Code Signing Certificate

原文 2016-05-05 07:31:04 5 2 web-services/ ssl/ https/ certificate/ ssl-certificate

We have to make sure that our REST services are secure and we are thinking about using a SSL certificate for that , however some one is suggesting using code signing certificate and I am not sure whether it will provide HTTPS protocol and secure client/server communication .我们必须确保我们的 REST 服务是安全的，我们正在考虑为此使用 SSL 证书，但是有人建议使用代码签名证书，我不确定它是否会提供 HTTPS 协议和安全的客户端/服务器通信。 (point to point) There is not much information available on internet , it will help if some one can elaborate it and let me know if code signing certificate will also use https in the browser to make secure client/server communication. （点对点）互联网上可用的信息不多，如果有人能详细说明它会有所帮助，并让我知道代码签名证书是否也会在浏览器中使用 https 来进行安全的客户端/服务器通信。

Thanks in advance.提前致谢。

2 个解决方案

... however some one is suggesting using code signing certificate and I am not sure whether it will provide HTTPS protocol and secure client/server communication . ...但是有人建议使用代码签名证书，我不确定它是否会提供 HTTPS 协议和安全的客户端/服务器通信。

Code signing won't help.代码签名无济于事。 The web security model is not setup that way.网络安全模型不是这样设置的。 Some good reading on the subject is the STREWS web security report .关于这个主题的一些很好的读物是STREWS 网络安全报告。 It highlights almost all security features, but it often omits security gaps (ie, it fails to document risk).它强调了几乎所有的安全特性，但它经常忽略安全漏洞（即，它没有记录风险）。

Under the current model, the browser executes code regardless of where it came from.在当前模型下，浏览器执行代码而不管它来自哪里。 It could be HTTPS, HTTP or injected by a bad guy.它可能是 HTTPS、HTTP 或由坏人注入。 As the "browser as a platform" expands and becomes more fully featured to align with native applications, the current model does not meet needs.随着“浏览器即平台”的扩展和功能更加完善以与本机应用程序保持一致，当前的模型无法满足需求。 That's because some APIs deal with sensitive data, like Camera, Microphone and Location, so something more than "any code can run from anywhere" is needed.这是因为一些 API 处理敏感数据，例如相机、麦克风和位置，因此需要的不仅仅是“任何代码都可以从任何地方运行”。

The web's model is moving towards Secure Origins to authorize code to run when it intersects with sensitive data. Web 的模型正在转向Secure Origins，以授权代码在与敏感数据相交时运行。 The only thing you need for a secure origin is a server certificate to identify the host.安全来源唯一需要的是用于识别主机的服务器证书。 Also see Prefer Secure Origins For Powerful New Features in Chrome and the various discussions on the IETF's web-app-sec mailing list.另请参阅 Chrome 中强大的新功能首选安全源以及 IETF 的web-app-sec邮件列表上的各种讨论。

Now would be a good time to mention the web is making the leap that Authentication is Authorization .现在是提及网络正在实现身份验证即授权这一飞跃的好时机。 An X509 certificate only identifies the server; X509 证书仅标识服务器； it does not authorize any privilege per se .它不授权本身任何特权。 The CA that certifies the identity of the host does not make those claims or warrant anything remotely close to it.证明主机身份的 CA 不会做出这些声明或保证任何与它远程接近的东西。 And Public Key Pinning with Overrides breaks the presumptions of Secure Contexts .带有覆盖的公钥固定打破了安全上下文的假设。

Authentication is Authorization is the same mistake made by Java with its applets and the sandbox.身份验证即授权与 Java 的小程序和沙箱所犯的错误相同。 Treating authorization as if it was authentication got so bad with Java that the recommendation became "don't ask for any permissions because it allows you to break out of the sandbox (and only malware asks for permissions)".将授权视为身份验证在 Java 中变得如此糟糕，以至于建议变成“不要要求任何权限，因为它允许您突破沙箱（并且只有恶意软件要求权限）”。 For more reading, see Java's Losing Security Legacy .如需更多阅读，请参阅Java 的丢失安全遗留问题。

Someone doesn't know what they are talking about.有人不知道他们在说什么。 SSL endpoints are secured with SSL certificates. SSL 端点使用 SSL 证书进行保护。 Code is secured with code signing certificates.代码使用代码签名证书进行保护。 Never the twain shall meet.永远不会相遇。