本文探讨了自签名证书的工作原理及潜在的安全隐患,包括中间人攻击的风险,并提出了使用受信任的证书颁发机构(如Let’s Encrypt)来提高网站安全性。
描述
WebInspect has identified a self-signed certificate served from the target server. Server certificates declare the public key of the server for use in transport layer security. Trusted third-party vendors known as Certificate Authority (CA) sign and issue the certificates to ensure that they are authentic and contain the public key of the intended server. The public key of the root CA is embedded in the operating system (OS) by the vendor (e.g., in Windows by Microsoft or in Mac OS by Apple). Upon receipt of a certificate, the client (e.g., a web browser) verifies the identity with the OS’s embedded trusted CA. In case of a self-signed certificate, the certificate is signed using its own private key, hence losing the ability for a client to verify its identity with a trusted CA. Since there is no third-party verification possible, an attacker can mount a man-in-the-middle impersonation attack by issuing a certificate with fake details and a public key that he controls. The client generates a security warning for a self-signed certificate, which a user can override. Users can inspect the certificate before allowing it to be trusted. However, a legitimate self-signed certificate from the intended site can encourage an insecure practice of overriding self-signed certificate warnings without inspecting details, which in turn can make users more susceptible to impersonation attacks.
解决方案
使用CA授权证书
CA授权的免费证书
参考
https://vulncat.fortify.com/en/detail?id=desc.dynamic.xtended_preview.often_misused_weak_ssl_certificate
扫一扫
8170
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
