proxyee icon indicating copy to clipboard operation
proxyee copied to clipboard

Published 20 hours ago verified publisher icon monkeyWie

安全问题

Open hanjiangxuehua opened this issue 5 years ago • 1 comments

设置客户端ssl时代码引用了这一段: serverConfig.setClientSslCtx( SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE) .build()); 我看网上有人说InsecureTrustManagerFactory是非常不安全的, 官方文档也说了https://netty.io/4.1/api/io/netty/handler/ssl/util/InsecureTrustManagerFactory.html An insecure TrustManagerFactory that trusts all X.509 certificates without any verification. NOTE: Never use this TrustManagerFactory in production. It is purely for testing purposes, and thus it is very insecure. 是否是有隐患的?

hanjiangxuehua avatar Dec 06 '19 12:12 hanjiangxuehua

不会的,首先这个忽略证书检查功能只有在开启https嗅探功能的时候才生效,而开启https嗅探功能的前提是手动安装了proxyee生成的根证书,既然安装了根证书那说明用户就允许了这个安全隐患。

monkeyWie avatar Dec 09 '19 01:12 monkeyWie