Server side install with private secret key certificates, installation client end only with the public key certificate, client side at the time of certification will be public key is sent to the Server side, the Server side validation, if match, argues that the client side is legitimate,
There have a problem, if the client reveal his public key certificate, then a malicious user can not take the public key to establish a connection with the server? In the client's public key certificate is installed to the Windows, even if I installed to a trusted root certificate, write a program that I can not access to?
How to feel certificate authentication so insecure? I understand the wrong? Also please comment,
CodePudding user response:
You describe the authentication method, is used for authentication of a service, not for certification customers,Security system, server authentication is very important,
If you cannot verify the server, the client can connect to a server, believe customer transfer confidential may be violated
and should be public key certificate, not relying on the fact that customer has a public key to verify the customer,
Customers can through the following a way to verify yourself:
1, the user name password (after authentication server, through a secure connection),
2, the client certificate (each customer a certificate, each customer has its own private key),
3, multiple authentication...