Good articles to read on SSL and HTTPS?
I had a problem with accepting i开发者_JS百科nvalid SSL certificate in my iPhone program. That problem is solved now, however I came to understanding that I have very abstract idea on how exactly the whole thing is working:
- how web browser is verifying that received certificate is really for host it communicates to and not faked by same party in the middle?
- if browser talks to some 3rd party (CA?) to do certificate check?
and many other questions... Would someone please recommend good source of information with in-depth enough description of how all parts click together?
Plenty of detail here: The First Few Milliseconds of an https Connection
And the definitive book on the subject: SSL and TLS: Designing and Building Secure Systems
Check the articles here, specifically "Introduction to SSL" and "Building user authentication systems for client-server environments."
Web Spoofing Revisited: SSL and Beyond
This is an excellent BlakHat talk on modern attacks against SSL: http://www.thoughtcrime.org/software/sslstrip/ Chrome recently introduced "Strict Transport Security" for https which partially addresses Moxie Marlen Spikes attacks.
精彩评论