SSL and Man in the middle attack
I am under the impression that self signed certificate pose risks of man in the middle attack as client can be presented a different self signed certificate by the middle man. My question is as follow.
If I use a self signed certificate (Using SelfSSL) on the server and at the time of running an ssl page (It is an admin page and not for the public) browser gives me a warning and I install the self signed certificate in the trusted store (Assume that this request is not intercepted by the middle man), will there be any risk of man in the middle attack. For my test what I did is to change the certificate on the server keeping all the parameters same and it created a different thumbprint and browser start giving me the warning again while running ssl page. This means if anybody change the certificate, I will get the warning which will indicate that certificate has been changed from the one I added to the trusted store. Is there any flaw what I am doing? I don't want to buy any ssl just for my own one page.
Yes,; that will work fine.
As long as the browser can verify that you have the correct self-signed certificate, you're OK.
However, if you get an MITM attack during that first connection when you trust the certificate, you're in big trouble. (since you would end up trusting the attacker's certificate rather than your own)
It wasn't clear from your post, disregard below if there is only one user (yourself) for this web app, otherwise...
Aren't you just training your users to ignore browser security warnings? So what is to say they don't ignore the warning when someone trying to inject a new cert during MITM attack? You want them to ignore the first warning, but if they get another warning later, they should know this is a problem?
Users aren't that sophisticated. Using a self-signed SSL is basically saying you don't care about your users security.
链接地址: http://www.djcxy.com/p/21754.html上一篇: 中间人攻击HTTPS
下一篇: SSL和Man在中间进攻