当使用IP时,是否可能发生中间人攻击(MITM)?

huangapple go评论95阅读模式
英文:

Are MITM possible when using IP

问题

如果我通过IP引用的API服务器进行TLS请求,那么证书验证可以防止的中间人攻击仍然可能发生吗?

背景信息(如果有助于澄清问题):我正在对一个没有与之关联的域名的静态IP的REST API进行TLS请求。为了使其在Go中工作,我必须在HTTP客户端的传输层设置InsecureSkipVerify: true。这会降低我的请求安全性吗?
我认为会,但我不知道具体原因。

英文:

If I'm making TLS requests to an API server that I'm referencing by IP, are the kinds of MITM attacks that certificate validation prevents still possible?

Background info if it clarifies the question: I'm making TLS requests to a REST API with a static IP that has no domain name associated with it. To make this work in Go, I have to set the InsecureSkipVerify: true, at the Transport layer of my HTTP Client. Does this make my requests less secure?
I would assume it does but I don't really know why.

答案1

得分: 5

正如@James所指出的,IP是TLS握手的一个无关组件。

标准的过程是:

  • 拨号主机名/端口
  • DNS查找主机名以获取IP
  • 与IP进行TLS握手
    • 显示主机名的证书标识
    • 验证证书名称与主机名匹配

使用InsecureSkipVerify: true跳过了最后一步,通常只在开发/测试期间使用。

但是,在此最后一步中,您可以使用不同的名称来匹配证书标识:利用tls.Config中的ServerName字段:

tc = &tls.Config{
    ServerName: "myhostname", // 证书标识
    RootCAs:    rootca,
    // InsecureSkipVerify: true // <- 避免使用此选项
}

d := tls.Dialer{
    Config: tc
}

conn, err := d.Dial("tcp", "127.0.0.1:8080")

在这里,我们拨号一个IP地址,执行TLS握手,但是与默认行为将主机证书与127.0.0.1进行比较不同,它将验证它是否与myhostname匹配。

英文:

As @James noted the IP is an irrelevant component of a TLS handshake.

While the standard procedure is:

  • dial hostname/port
  • DNS lookup hostname to get IP
  • TLS handshake w/ IP
    • reveals hostnames certificate identity
    • verify cert name matches hostname

Using InsecureSkipVerify: true skips the last step - and is generally only used during development/testing.

You can however use a different name, in this last step, for the certificate identity to match: leveraging the ServerName field in tls.Config:

tc = &amp;tls.Config{
	ServerName: &quot;myhostname&quot;, // certificate identity
	RootCAs:    rootca,
    // InsecureSkipVerify: true // &lt;- avoid using this
}

d := tls.Dialer{
    Config: tc
}

conn, err := d.Dial(&quot;tcp&quot;, &quot;127.0.0.1:8080&quot;)

Here we are dialing an IP address, performing a TLS handshake, but instead of the default behavior of comparing the host cert with 127.0.0.1, it will instead verify it matches myhostname.

huangapple
  • 本文由 发表于 2022年9月17日 20:17:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/73754759.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定