Man in the Middle III / Notes
http://www.dest-unreach.org/socat/doc/socat.html socat - SSL:server:4443,cafile=server.crt,cert=client.pem MITM主要就是设置一个中间站,当Client端的安全设置不强的的时候,比如没有设置证书,或者没有检查证书的hostname是不是和站点的hostname匹配的时候,就可以通过设置中间站,让Client发来的信息误认为,这是一个有认证的站点,或者就是目标站点。从而暴露Client发过来的加密信息。 the application does not perform any validation to ensure that the hostname used by the TCP connection matches the hostname in the Subject of the certificate. *********************** TLS verification As part of a request sent over TLS, before sending the request, the client will make sure that: The certificate is valid. The certificate matches the hostname it's visiting. For example, if you bind the same socat from the previous exercise (using the self-signed certificate): $ sudo socat openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 - The connection will fail if you connect using the following ruby code: require 'socket' require 'openssl' socket = TCPSocket
