我有一个 iOS 客户端应用程序,它使用 HTTPS 连接到服务器。我在客户端中添加了代码来验证服务器的身份。
测试此功能的测试人员如何测试它现在是安全的,例如他们如何创建 MITM 情况并检查客户端是否拒绝连接等?
我试过用谷歌搜索如何做到这一点,但运气不佳。
可以使用 Charles 和代理等工具来完成,还是使用无线路由器并拥有必要的详细知识?
问问题
64 次
1 回答
0
This might be over simplification for your solution, but concepts might help.
A web browsers extracts the name of hosts from embedded certificate and do a comparison of host name that we're trying to connect with. If validation fails, we usually see a security warning. For ex: we can connect with facebook by either typing https://www.facebook.com or by typing https://173.252.100.16/. When we choose second option, we get a security warning.
Your program must be using SSL client socket to connect with HTTPS server. The socket must be having capability to extract the hostname from the embedded certificate. Once you get that, compare that with valid HOST NAME that your program is trying to connect with. If it matches, let request proceed, If not, abandon that session.
To re-create MITM, your web server can use a self signed certificate that can be issue to whatever host name you want, but the IP of server could be 127.0.0.1 (for example). Since there is a mismatch between the host name and actual IP, we can probably simulate the MITM situation.
I'm assuming that digital certificate can't be forged in this case.
于 2012-12-21T02:47:04.333 回答