How to prevent a man-in-the-middle HTTPS attack from the server?

Question

How to prevent a man-in-the-middle HTTPS attack from the server?

In the HTTPS security model, the weakest part is the list of trusted CAs in the browser. There are many ways that someone can add an additional list CA so that users trust the wrong guy.

For example, a public computer or PC in your company. An administrator can force you to trust a CA issued by himself; he can be very insecure with an HTTPS proxy server using HTTPS relays. As a result, they will be able to SPY your message, login and password, even the browser tells you that you are using a reliable SSL connection.

In this case, what can a web application developer do to protect the user as well as the system?

+5

security https

Dennis c Jun 20 '10 at 8:46

source share

2 answers

, , , - , .

, , . , , , , ! - , , , , .

, , XmlHttpRequest JavaScript , , , .

, , , /, . , , , .

+1

Jeffrey Hantin 22 . '10 0:27

jwsample · Accepted Answer · 2010-07-22T00:21:19+0000

As a web application developer, you can do this very little.

This problem should be considered further on the stack.

If someone halfway around the world wants to:

and. Place the false root CA on the computer.

b. Issue a certificate for your domain under this CA

with. Personalize your site

e. Give someone a local DNS record for your domain on a different ip

Your application has not participated or consulted in any of the above steps, so good network administration and security are important here.

Besides this, maybe there is a legitimate reason why someone can do this locally on their personal network. Who am I to stop them?

This, in essence, is what corporate web proxy filters do, and they are within their rights to do so.

, - , , .

How to prevent a man-in-the-middle HTTPS attack from the server?

More articles: