GithubHelp home page GithubHelp logo

Comments (21)

aaawhz avatar aaawhz commented on May 28, 2024 32

为什么都是苑一峰的文章, 百度自己就有很大介绍https的东西。

from blog.

youngwind avatar youngwind commented on May 28, 2024 13

@Thinking80s 本质就是劫持。不过要强调的是:之所以能劫持,并不是因为 HTTPS 不安全,而是因为操作人主动安装信任了 Charles 根证书中心。

from blog.

silif avatar silif commented on May 28, 2024 1

数字证书那张图的第11步是不是用服务器私钥解密?

from blog.

bravepg avatar bravepg commented on May 28, 2024 1

好文。最后一张图,第7步“用服务器公钥加密,发送给服务器”,这个“服务器公钥匙怎么来的呢?”最好在第3步的时候说明一下charles拦截响应获取了来自服务器的公钥

from blog.

lefex avatar lefex commented on May 28, 2024 1

写的很不错,我写了一篇“用故事说透HTTPS” https://mp.weixin.qq.com/s/MfvUuitrF8MN16nxyZNB8A
WechatIMG85

from blog.

sfsoul avatar sfsoul commented on May 28, 2024 1

学到了很多。所以日常的抓包工具 Charles 或者 Fiddler 在要抓取 HTTPS 包之前都需要安装 "证书",这个"证书"更准确的说法应该是:安装 Charles 证书中心 或者 Fiddler 证书中心。因为客户端收到的动态证书是来自代理工具 Charles、Fiddler 生成的证书,而不是服务器本身的证书。所以在客户端就需要通过 Charles 或者 Fiddler 证书中心用私钥去解密证书!

from blog.

Thinking80s avatar Thinking80s commented on May 28, 2024

那Charles 的方式也算作做是一种显示的劫持了。

from blog.

wangning0 avatar wangning0 commented on May 28, 2024

@Thinking80s https的抓包,是因为你安装了charles的证书,这个时候charles即充当了客户端也充当了服务端

from blog.

angellaugh avatar angellaugh commented on May 28, 2024

太棒啦,好清晰,解惑啦!

from blog.

youngwind avatar youngwind commented on May 28, 2024

对,第11步写错了,应为“用服务器私钥解密,得到会话密钥”。感谢指正,已更正。 @silif

from blog.

zhouatie avatar zhouatie commented on May 28, 2024

“公钥加密,私钥解密”,这句话是没错,但只说对了一半。公钥和私钥的区分不是以谁加密、谁解密来区分的,是以谁公开、谁不公开为区分的。另外,公钥和私钥,都可以用来加密和解密,也就是说,同一对钥匙,公钥加密只能私钥解密,私钥加密只能公钥解密。那为什么我们平常不说“私钥加密”呢?因为公钥是公开的呀!人手一份公钥,私钥加密不跟没加密一个样吗?因此,在实践中,基本不用私钥进行加密,私钥的用途一般是签名。

这段话把我看的有点懵

from blog.

vevlins avatar vevlins commented on May 28, 2024

非常清晰,感谢分享!
start持续关注

from blog.

maquannene avatar maquannene commented on May 28, 2024

对,第11步写错了,应为“用服务器私钥解密,得到会话密钥”。感谢指正,已更正。

图中红字更正的还是:得到会话私钥。
是不是应该是:得到会话秘钥。

from blog.

youngwind avatar youngwind commented on May 28, 2024

@maquannene 你说得对,图更新错了,现在已经重新更新了。看得好仔细,感谢指正。

from blog.

maquannene avatar maquannene commented on May 28, 2024

@youngwind 传播知识,心存敬畏。

from blog.

jialinhome avatar jialinhome commented on May 28, 2024

看到的最容易理解的版本👍

from blog.

ZexiFangkong avatar ZexiFangkong commented on May 28, 2024

图文并茂, 简洁明了, 大大加深了对 HTTPS 的理解, 也纠正了之前的一些误区。

from blog.

zirconnnn avatar zirconnnn commented on May 28, 2024

客户端取得证书后解开得到域名,hash等信息,校验hash可以判断内容是否被修改过?这是什么意思,如何校验这个hash?

from blog.

lc87624 avatar lc87624 commented on May 28, 2024

真是一图胜千言,记忆模糊的时候拿出来一看就又明白了。

有个地方字打错了,提醒一下

判断是baidu的域名,根据charles自己的公钥和baidu的域名,生成正式

这句里的“正式”应该是“证书”
这个地方还挺重要的,解释了为什么能通过证书域名的匹配

from blog.

huopochuan avatar huopochuan commented on May 28, 2024

from blog.

Popxie avatar Popxie commented on May 28, 2024

写的很不错,我写了一篇“用故事说透HTTPS” https://mp.weixin.qq.com/s/MfvUuitrF8MN16nxyZNB8A
WechatIMG85

哈哈 写的也不错~ 通俗易懂 两篇各有风格~
01

from blog.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.