I was monitoring web traffic from my Android mobile using a man-in-the-middle proxy. As part of this I installed a certificate (signed by my server) to my mobile and I could see all applications sending sensitive information like passwords as clear text.
我使用中间人代理监控来自我的Android手机的网络流量。作为其中的一部分,我安装了一个证书(由我的服务器签名)到我的手机,我可以看到所有应用程序发送敏感信息,如密码作为明文。
I understand that SSL protocol takes care of establishing a secure communication, but does that eliminate the need to encrypt data?
我知道SSL协议负责建立安全通信,但这是否消除了加密数据的需要?
1 个解决方案
#1
0
So there are really 2 questions here:
所以这里有两个问题:
Does it eliminate the need to encrypt data in all cases? No.
它是否消除了在所有情况下加密数据的需要?没有。
Does it eliminate the need to encrypt data in most cases? Yes.
在大多数情况下,它是否消除了加密数据的需要?是。
To understand those answers we need to talk about one important thing: key distribution.
要理解这些答案,我们需要谈谈一件重要的事情:密钥分配。
How are you going to get the key to your user (the one making the request). If you have a reliable side-channel, then it's possible to send the key in the side channel. This means that any data encrypted and sent over TLS won't be decryptable even if the attacker can decrypt the TLS stream.
你如何获得用户的密钥(提出请求的人)。如果您有一个可靠的旁道,那么可以在侧面通道中发送密钥。这意味着即使攻击者可以解密TLS流,通过TLS加密和发送的任何数据都不会被解密。
For the average website, there's no reliable side-channel. For the average network service there isn't one either (implementations like sshd simply make the best effort approach of "assume the first connection is good").
对于普通网站来说,没有可靠的旁道。对于普通的网络服务,也没有一个(像sshd这样的实现只是尽力做到“假设第一个连接是好的”)。
If your data is important enough to justify the side-channel distribution of keys (preferably offline), then the added encryption inside of TLS can protect you from certain attack vectors.
如果您的数据非常重要,足以证明密钥的侧信道分配(最好是离线),那么TLS内部添加的加密可以保护您免受某些攻击媒介的影响。
However, ask yourself if its worth it for your use case. All security is a tradeoff of usability and simplicity...
但是,问问自己它是否适合您的用例。所有安全性都是可用性和简单性的权衡...
#1
0
So there are really 2 questions here:
所以这里有两个问题:
Does it eliminate the need to encrypt data in all cases? No.
它是否消除了在所有情况下加密数据的需要?没有。
Does it eliminate the need to encrypt data in most cases? Yes.
在大多数情况下,它是否消除了加密数据的需要?是。
To understand those answers we need to talk about one important thing: key distribution.
要理解这些答案,我们需要谈谈一件重要的事情:密钥分配。
How are you going to get the key to your user (the one making the request). If you have a reliable side-channel, then it's possible to send the key in the side channel. This means that any data encrypted and sent over TLS won't be decryptable even if the attacker can decrypt the TLS stream.
你如何获得用户的密钥(提出请求的人)。如果您有一个可靠的旁道,那么可以在侧面通道中发送密钥。这意味着即使攻击者可以解密TLS流,通过TLS加密和发送的任何数据都不会被解密。
For the average website, there's no reliable side-channel. For the average network service there isn't one either (implementations like sshd simply make the best effort approach of "assume the first connection is good").
对于普通网站来说,没有可靠的旁道。对于普通的网络服务,也没有一个(像sshd这样的实现只是尽力做到“假设第一个连接是好的”)。
If your data is important enough to justify the side-channel distribution of keys (preferably offline), then the added encryption inside of TLS can protect you from certain attack vectors.
如果您的数据非常重要,足以证明密钥的侧信道分配(最好是离线),那么TLS内部添加的加密可以保护您免受某些攻击媒介的影响。
However, ask yourself if its worth it for your use case. All security is a tradeoff of usability and simplicity...
但是,问问自己它是否适合您的用例。所有安全性都是可用性和简单性的权衡...