为所有用户使用单一证书
我正在考虑使用 CA 通过 https 对我的应用程序进行身份验证到我的网络服务器。
我的问题是:黑客从手机窃取证书有多容易?
场景是:我的应用程序的每个用户都使用与应用程序捆绑在一起的相同证书,有人从手机中挖出它(以某种方式?),将其发布到网络上,现在网络服务器正在遭受 ddos 攻击。然后我必须使证书无效,但随后我又使我的所有用户无效。
对于黑客来说,做到这一点有多困难?如果很容易,那么可能根本不值得拥有证书。
I'm thinking about using a CA for authenticating over https with my app to my web server.
My question is: How easy would it be for a hacker to steal that cert from the phone?
The scenario is: every user of my app uses the same cert which comes bundled with the app, someone digs it out of the phone (somehow?), posts it on the web and now the web server is getting ddos'd. I then have to invalidate the cert, but then I've invalidated all my users.
How difficult is it going to be for a hacker to do this? If it's easy, then it may not be worth having a cert at all.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我想说从应用程序中提取它是微不足道的。有两部分:证书(本质上是公钥)和秘密密钥。
对于 HTTPS,证书以明文形式在线路上呈现,并用于建立加密会话。
但这不是您担心的证书 - 这是公开的,并且需要公开 - 这是另一半,即秘密密钥。要使 HTTPS 正常工作,您需要使用密钥执行初始建立序列的一部分。
证书和密钥的关键部分是相同的。称为模数的一组字节。从电线上取出它(因为它就在那里),在您的应用程序图像中搜索相同的模数,您的黑客将在附近拥有秘密部分,并且可以欺骗他的心目中的内容。
坏主意,真的。
I'd say trivial to extract it from the app. There are two parts: certificate (which is essentially the public key), and secret key.
For HTTPS, the certificate is presented in clear on the wire, and is used to establish the encrypted session.
But it's not the certificate you worry about - that is public, and needs to be - it's the other half, the secret key. For HTTPS to work you need to perform part of the initial establishment sequence with the secret key.
A crucial part of the certificate and secret key is the same. A set of bytes known as the Modulus. Take that from the wire (as it will be there), search your app image for the same modulus and your hacker will have the secret part nearby, and can spoof away to his heart's content.
Bad idea, really.