嵌入式网络服务器和证书

发布于 2024-07-16 16:17:30 字数 680 浏览 7 评论 0原文

我有一个带有嵌入式网络服务器的应用程序。 该网络服务器现在可以通过 OpenSSL 包执行 SSL :)

现在讨论证书问题。 这个应用程序已售出,我这么说是因为它不仅仅位于我拥有的服务器上,它还安装在数千台计算机上。 我希望我的客户安全,因此我希望他们尽可能轻松地使用 SSL。 现在我们创建自己的 CA,然后创建自签名证书。 这意味着我们所有的客户(及其用户)都需要安装其自定义的、特定于安装的 CA,或者接受来自证书的不可信根警告,这两种方式都没有吸引力。

如何解决这个问题?

我们要么需要:

  1. 使安装我们的 CA 变得非常简单(浏览器故意让安装变得非常困难——有很多吓人的警告对话框)
  2. 以某种方式让所有这些客户证书都由浏览器认可的 CA 合法签名。
  3. 强迫客户去购买自己的证书并安装它

我不知道我们将如何做#1,所以我们正在考虑#2。 #3 几乎是不可能的。

我们突然想到,我们可以购买一个 SSL 证书,并将其与我们的产品一起提供 - 是的,每个人都使用相同的证书,并且证书和私钥可能会泄漏到公共领域......嗯。 .. 出于责任的原因,可能不希望我们的名字出现在上面...

我想问题是我们首先就违背了 CA 的目的。 关于如何让用户变得简单、安全,有什么想法吗? (假设中间人攻击不是一个问题——有没有真正记录过?)

I have an app with an embedded webserver. This webserver can now do SSL via the OpenSSL package :)

Now to the cert issue. This app is sold, which I say because it's not just sitting on a server I own -- it gets installed on thousands of computers. I want my customers to be safe so I want them to use SSL as painlessly as possible. Right now we create our own CA, then create self-signed certs. This means all of our customers (and their users) need to either install their custom, installation-specific CA, or live with the untrusted root warning from the cert, neither of which are appealing.

How to get around that?

We either need to:

  1. Make it dead-simple to install our CA (which browsers purposely make quite hard -- lots of scarey warning dialogs)
  2. Somehow get all of those customer certs legitimately signed by a browser recognized CA.
  3. Force the customer to go buy their own cert and install it

I don't see how we'll do #1, so we're looking at #2. #3 is pretty much out of the question.

It occurs to us that we could just buy an SSL cert, and ship it with our product -- yes, everyone is using the same cert, and the cert and private key could/would be leaked into the public domain... hmmm... Probably don't want our name on that for liability's sake...

I guess the problem is that we're working against the purpose of CAs in the first place. Any thoughts on how to make this easy and safe for the user? (Assume man-in-the-middle attacks aren't a concern -- has one ever actually been documented??)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

又爬满兰若 2024-07-23 16:17:30

对此没有简单的解决方案。 如果这个问题很容易解决,那么 SSL 证书系统的安全性就会很差。

正如您所说,您对于如何避免浏览器警告的选择是有限的。 每种方法可能都很好,具体取决于应用程序。

1. 在客户端浏览器上安装根 CA

如果应用程序在内部使用或者客户端需要安装某些内容来使用该应用程序,那么这是一个合理的解决方案。 这可能也是成本最低的解决方案,因为不需要额外的费用。 但是,如果该应用程序要供广大人群使用,那么这不是一个合理的解决方案。

2. 购买商业根 CA 签名证书

如果您的应用程序向互联网开放,这很可能是必需的。 但是,如果您销售应用程序而不是简单地提供其服务,那么出于您提到的责任原因,这可能并不好。

3. 让客户购买他们自己的商业根 CA 签名证书

如果您的应用程序被出售以供客户使用,这可能是合理的。 您可以使用自签名证书作为基本选项来提供应用程序,并让您的客户根据需要使用他们的证书。 许多公司的网站已经拥有 SSL 证书。

There is no simple easy solution to this. If this was easily solved the security of the SSL certificate system would be poor.

As you said, your choices are limited as to how to avoid the browser warnings. Each approach might be good depending on the application.

1. Install root CA on client browsers

This is a reasonable solution if the application is used internally or if the clients are expected to install something to use the application. This is probably also the lowest cost solution since no extra expense is necessary. However, if the application is going to be used by the population at large, then this isn't a reasonable solution.

2. Buy a commercial root CA signed certificate

If your application is open to the internet, this is most likely required. However, if you're selling the application rather than simply offering its services, this might not be good for liability reasons as you mentioned.

3. Get customer to buy their own commercial root CA signed certificate

If your application is being sold to be used by clients, this is probably reasonable. You can offer the application using a self-signed certificate as a base option, and offer to your client to use their certificate if they wish. Many companies already have SSL certificates for their sites.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文