我在 iOS 和 Amazon Certificate Manager 中找不到关于证书固定的好信息。
他们建议您不要锁定 ACM 证书。
https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning
We recommend that your application not pin an ACM Certificate
他们不推荐它的原因是:
To renew a certificate, ACM generates a new public-private key pair.
相反,他们建议:
If you're using a public certificate, pin your application to all available Amazon root certificates.
我明白为什么 不固定 到 ACM 证书 - 因为您将不得不使用新证书发布更新,这可能会导致客户端变砖。您也不能锁定公钥,因为它会改变。
我不明白的是如何仅固定根证书可以?它还会阻止中间人攻击吗?这如何更安全?
有人可以更好地解释吗?
最佳答案
固定根证书不会更安全。我认为亚马逊文档试图推荐的是一种在证书过期和更新的情况下不会中断网络连接的方法。
这是该网站的引文,解释了不同类型的证书固定:
https://carvesystems.com/news/cert_pin/
Leaf Cert: A leaf cert is the top level cert in a certificate chain. Pinning a leaf certs brings us to almost complete certainty that the certificate matches. However, if you cycle your leaf certs often, updates need to roll out fairly frequently to make sure your customer’s app continues to work.
Intermediate Cert: The intermediate cert lives between the leaf and root cert. In this case, pinning against the intermediate cert, you’re putting your trust in the intermediate certificate authority. Therefore, you can update your server’s leaf cert more often, as the validation of certs occurs on the intermediate cert.
Root Cert: Finally, the root cert comes from the trusted certificate authority. Pinning the root cert alone puts trust in the root cert authority, as well as all intermediaries that the root cert authority trusts.
希望这可以帮助
关于iOS 证书固定和亚马逊证书管理器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60271528/