问题描述:

I'm communicating with my server from an iOS app via HTTPS, and would like to harden it a bit to mitigate risk of man in the middle attacks. Which are the best X.509 fields to verify to detect MITM attacks?

Would verifying the certificate's serial number and issuer signature be most effective? Assuming, of course, that my issuer is not in cahoots with Eve and that Eve has not stolen my issuer's signing key. Self signing would eliminate the first threat.

Would verifying the certificate's subject and issuer signature be almost as secure, but leave me with the flexibility of being able to renew the certificate?

网友答案:

Attacker can issue certificate with all the same fields as yours one. So the only ways to check it - to check fingerprint (i.e. hash of public key stored in certificate) or to check the whole certificate chain (if you are using authority-signed certificate). However, first approach doesn't have flexibility to quickly reissue the certificate in case it is stolen/revoked.

相关阅读:
Top