HTTPS拦截
[英]HTTPS intercept
问题描述
I don't know much about SSL, but I've read something and I was wondering if it's possible to intercept the communication between client and server (for example, a company can monitor employees data transfer?). 
我对SSL知之甚少,但我读过一些东西,我想知道是否有可能拦截客户端和服务器之间的通信(例如,公司可以监控员工的数据传输?)。 I thought it was a difficult task, but it looks like that it is very simple. 我认为这是一项艰巨的任务,但看起来很简单。 When a client requests a https connection the router can be instructed to intercept the key exchange and send to the server and the client it's own public keys (further it can encode/decode the hole traffic). 当客户端请求https连接时,可以指示路由器拦截密钥交换并向服务器和客户端发送它自己的公钥(进一步它可以对空洞流量进行编码/解码)。 Is it true, or I'm misunderstanding something? 是真的,还是我误解了什么?
3 个解决方案
解决方案1
5 已采纳 2011-11-28 09:45:49
If a CA under your control is trusted in all browsers used by employees it's easily possible: 如果您所控制的CA在员工使用的所有浏览器中都受信任,则可以轻松实现:
The company proxy needs to create certificates resembling the original certificate on the fly and present those certificates to the clients. 公司代理需要动态创建类似于原始证书的证书,并将这些证书提供给客户。 All information could be taken from the real certificate, the only difference would be in the CA signing the certificate. 所有信息都可以从真实证书中获取,唯一的区别在于CA签署证书。
However, at least google chrome would complain for google-owned domains since they have an explicit whitelist on which CAs may sign certificates used for google domains. 但是,至少谷歌浏览器会抱怨谷歌拥有的域名,因为他们有明确的白名单,CA可能会签署用于谷歌域名的证书。
解决方案2
2 2011-11-28 09:41:43
At a company network, the companies own SSL CA:s are often installed on all machines. 在公司网络中,公司拥有SSL CA:s通常安装在所有计算机上。 In this case, a company proxy can present a company certificate which will be accepted by the browser, and read the traffic. 在这种情况下,公司代理可以提供将被浏览器接受的公司证书,并读取流量。
I you look at the certificate details (found in your browser's address bar), you can check if it is the expected certificate of the remote server, or if it is another certificate created by the company. 我查看证书详细信息(可在浏览器的地址栏中找到),您可以检查它是否是远程服务器的预期证书,或者它是否是公司创建的另一个证书。
You can use for example http://www.sslshopper.com/ssl-checker.html#hostname=www.google.com to check what certificate its supposed to be. 您可以使用例如http://www.sslshopper.com/ssl-checker.html#hostname=www.google.com来检查它应该是什么证书。 (obviously change the hostname to whatever server it is you want to use) (显然将主机名更改为您要使用的任何服务器)
解决方案3
1 2011-11-28 09:37:23
It's partially true: the process you describe would work but the client would be notified that the server certificate is not the expected one (not certified, assigned to another site). 部分原因是:您描述的流程可以正常工作,但会通知客户端服务器证书不是预期的(未经认证,分配给其他站点)。 So it's not possible to do it transparently and without them knowing, but that may be acceptable in a corporate environment. 因此,如果没有他们的知道,就不可能透明地进行,但这在企业环境中是可以接受的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.