0

I'm currently working on a project which involves building a digital fortress on the client side(Browser) to mitigate against Man-in-the-middle attacks on SSL's PKI infrastructure. Though they're numerous possibilities of mounting man-in-the-middle attacks on SSL connections but I'm meant to focus on the issues with the PKI infrastructure and also taking the system's performance into consideration.

After doing a wee bit of research these are the following task I think I'm set out to achieve

  1. Ascertaining the validity period of a certificate by checking its validity period and checking if a certificate's serial number exists in a CRL list
  2. Disabling MD5 for certificate checking
  3. Ensuring the server the client(Browser) is connecting to is the real server. Can this be achieved by a URL or by simply by doing a DNS lookup?, because I think both URL and DNS are not also secured to some extent. I'm thinking of this web server fingerprinting thing but yet I still need a repository to check with.What else can i use??
  4. Certificate Fingerprint. Are they any certificate hash or fingerprint repository that are trusted that I can lookup the fingerprints of certificate??.

What else do I need to check to stop man-in-the-middle attacks??

I intend to use a java Applet embedded in a browser to handle this task and so I know it is impossible to connect to a web server without the website's login page. The issue is how can I make a test connection to the server using my Applet embedded page just to get the server's certificate or better still is it possible to do a connection using the website's login page and terminating the SSL handshake after the server sends a certificate so the Applet just go into the certificate store to retrieve the certificate and analyze the certificate to safeguard against Man-in-the-middle attack.

As I've said I would like to use java build the solution because it is widely speculated that java applet are more faster than javascripts. And also browser extensions are mostly platform dependent which is not in the case of java Applets. Can this be a performance yardstick??

4

1 回答 1

-1

通过检查证书的有效期和证书的序列号是否存在于 CRL 列表中来确定证书的有效期

浏览器已经这样做了。

禁用 MD5 进行证书检查

为什么?如果证书有 MD5 哈希,您必须检查它。删除它如何减轻 MITM 攻击!这没有意义。

确保客户端(浏览器)连接的服务器是真正的服务器。

浏览器已经这样做了。它内置于 HTTPS 协议中。

这可以通过 URL 还是通过简单地通过 DNS 查找来实现?因为我认为 URL 和 DNS 在某种程度上也不是安全的。

不,不,不,不,不。

我正在考虑这个网络服务器指纹识别,但我仍然需要一个存储库来检查。我还能用什么?

你问的首先没有意义。

证书指纹。他们是否有任何受信任的证书哈希或指纹存储库,我可以查找证书的指纹?

错误,MD5 散列,如果你正忙着试图绕过的话,数字签名已经完成了。

在浏览器中使用小程序来保护浏览器的建议也没有意义。我认为你已经收到了一个没有问题的,很多矛盾的,在某些情况下毫无意义的要求,以及很多关于如何实施它的坏建议。

于 2013-07-30T22:40:12.323 回答