https协议和SSL证书的区别
https协议和我们在网络浏览器中使用的SSL证书有什么区别?
这两个不是用来加密客户端(浏览器)和服务器之间的通信吗?
What is difference between https protocol and SSL Certificate that we use in web browser?
Aren't both of these used to encrypt communication between client (browser) and server?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
HTTPS 是 HTTP(超文本传输协议)加上 SSL(安全套接字层)。 您需要证书才能使用任何使用 SSL 的协议。
SSL 允许安全地通信任意协议。 它使客户端能够(a)验证他们确实正在与他们期望的服务器而不是中间人进行通信,并且(b)加密网络流量,以便客户端和服务器之外的各方无法看到通信。
SSL 证书包含公钥和证书颁发者。 客户端不仅可以使用证书与服务器通信,还可以验证证书是否由官方证书颁发机构以加密方式签名。 例如,如果您的浏览器信任 VeriSign 证书颁发机构,并且 VeriSign 签署了我的 SSL 证书,那么您的浏览器本质上就会信任我的 SSL 证书。
这里有一些很好的读物:http://en.wikipedia.org/wiki/Transport_Layer_Security
HTTPS is HTTP (HyperText Transfer Protocol) plus SSL (Secure Socket Layer). You need a certificate to use any protocol that uses SSL.
SSL allows arbitrary protocols to be communicated securely. It enables clients to (a) verify that they are indeed communicating with the server they expect and not a man-in-the-middle and (b) encrypt the network traffic so that parties other than the client and server cannot see the communication.
An SSL certificate contains a public key and certificate issuer. Not only can clients use the certificate to communicate with a server, clients can verify that the certificate was cryptographically signed by an official Certificate Authority. For example, if your browser trusts the VeriSign Certificate Authority, and VeriSign signs my SSL certificate, your browser will inherently trust my SSL certificate.
There's some good reading here: http://en.wikipedia.org/wiki/Transport_Layer_Security
两片合一的解决方案。
https 是定义客户端和服务器如何协商安全连接的协议。
SSL 证书是他们用来确认服务器真实性的文档。
Two pieces of one solution.
https is the protocol that defines how the client and server are going to negotiate a secure connection.
The SSL Certificate is the document that they will use to agree upon the servers authenticity.
HTTPS 是新的 HTTPS。
HTTPS 非常容易受到 SSL Stripping/MITM(中间人)的攻击。
引用 Adam langley (Google) 的博客 Imperial violet 的话:
“HTTPS 往往会导致人们发表嘲笑证书安全性及其周围生态系统的言论。”
问题在于该页面不是通过 HTTPS 提供的。 本来应该如此,但是当用户在浏览器中输入主机名时,默认方案是 HTTP。 服务器可能会尝试将用户重定向到 HTTPS,但该重定向是不安全的:MITM 攻击者可以重写它并让用户保持在 HTTP 上,从而始终欺骗真实站点。 攻击者现在可以拦截到这个配置良好且安全的网站的所有流量。
这称为 SSL 剥离,非常简单且极其有效。 我们可能不会经常看到它,因为这不是企业代理需要做的事情,因此它不在现成的设备中。 但这种喘息不太可能持续很长时间,也许它已经结束了:我们怎么知道它是否正在被使用?
为了阻止 SSL 剥离,我们需要使 HTTPS 成为唯一的协议。 我们无法对整个互联网执行此操作,但我们可以使用 HTTP 严格传输安全 (HSTS) 逐个站点执行此操作。
HSTS 告诉浏览器始终通过 HTTPS 向 HSTS 站点发出请求。 站点可以通过内置到浏览器中或通过广告标头来成为 HSTS:
Strict-Transport-Security: max-age=8640000; includeSubDomains
该标头在给定的秒数内有效,并且也可能适用于所有子域。 必须通过干净的 HTTPS 连接接收标头。
一旦浏览器知道某个站点仅支持 HTTPS,则输入 mail.google.com 的用户就安全了:初始请求使用 HTTPS,并且没有可供攻击者利用的漏洞。
(mail.google.com 和许多其他网站已经作为 HSTS 网站内置于 Chrome 中,因此实际上不可能使用 Chrome 通过 HTTP 访问accounts.google.com - 我必须修改该图像!如果您想包含在内(在 Chrome 的内置 HSTS 列表中,给我发电子邮件。)
HSTS 还可以保护您(网站管理员)免于犯愚蠢的错误。 假设您已经告诉您的母亲,她应该在访问她的银行网站之前始终输入 https://,或者您可能为她设置了书签。 老实说,这超出了我们能够或应该对用户的期望。 但是,假设我们的超级用户...]
由于 stackoverflow 上新用户的阻碍/非常愚蠢的链接规则,我无法向您提供 Adam 的其余答案,您必须亲自访问 Adam langley 的博客:
https://www.imperialviolet.org/2012/07/19/hope9talk.html
“Adam Langley 在 Google 的 HTTPS 服务基础设施和 Google Chrome 的网络堆栈上工作。”
HTPS is the new HTTPS.
HTTPS is highly vulnerable to SSL Stripping / MITM (man in the middle).
to quote adam langley's (google) blog imperial violet:
"HTTPS tends to cause people to give talks mocking certificate security and the ecosystem around it. "
The problem is that the page isn't served over HTTPS. It should have been, but when a user types a hostname into a browser, the default scheme is HTTP. The server may attempt to redirect users to HTTPS, but that redirect is insecure: a MITM attacker can rewrite it and keep the user on HTTP, spoofing the real site the whole time. The attacker can now intercept all the traffic to this perfectly well configured and secure website.
This is called SSL stripping and it's terribly simple and devastatingly effective. We probably don't see it very often because it's not something that corporate proxies need to do, so it's not in off-the-shelf devices. But that respite is unlikely to last very long and maybe it's already over: how would we even know if it was being used?
In order to stop SSL stripping, we need to make HTTPS the only protocol. We can't do that for the whole Internet, but we can do it site-by-site with HTTP Strict Transport Security (HSTS).
HSTS tells browsers to always make requests over HTTPS to HSTS sites. Sites become HSTS either by being built into the browser, or by advertising a header:
Strict-Transport-Security: max-age=8640000; includeSubDomains
The header is in force for the given number of seconds and may also apply to all subdomains. The header must be received over a clean HTTPS connection.
Once the browser knows that a site is HTTPS only, the user typing mail.google.com is safe: the initial request uses HTTPS and there's no hole for an attacker to exploit.
(mail.google.com and a number of other sites are already built into Chrome as HSTS sites so it's not actually possible to access accounts.google.com over HTTP with Chrome - I had to doctor that image! If you want to be included in Chrome's built-in HSTS list, email me.)
HSTS can also protect you, the webmaster, from making silly mistakes. Let's assume that you've told your mother that she should always type https:// before going to her banking site or maybe you setup a bookmark for her. That's honestly more than we can, or should, expect of our users. But let's say that our supererogatory user... ]
because of obstructing/very stupid link-rules for new users on stackoverflow i cannot give you the rest of adam's answer and you'll have to visit adam langley's blog yourself at
https://www.imperialviolet.org/2012/07/19/hope9talk.html
"Adam Langley works on both Google's HTTPS serving infrastructure and Google Chrome's network stack."
HTTPS 是应用层协议。 它可以通过数字签名提供对个人请求或响应的不可否认性。
SSL 是较低级别的协议,不具备此功能。 SSL 是一种传输级加密。
HTTPS 比 SSL 更灵活:应用程序可以配置其所需的安全级别。 SSL 的选项较少,因此更容易设置和管理。
HTTPS is an application layer protocol. It can provide non-repudiation of individual requests or responses through digital signatures.
SSL is a lower level protocol and does not have this capability. SSL is a transport level encryption.
HTTPS is more flexible than SSL: an application can configure the level of security it needs. SSL has fewer options so it is easier to setup and administer.