ssl - 用户在我的网站上得到 "website unsafe"

Question

如果这很重要，我有一个在 IIS Windows 服务器上运行的投资组合网站。但是有些人提示他们在浏览该网站时遇到“网站不安全”。我个人没有遇到该错误，我在其他设备上尝试了该网站，并且他们也没明白。

可能与 SSL 证书有关？我没有买，但我有一个根据 ssl checker 的自签名证书.我需要购买受信任的 SSL 证书吗？还是有其他问题？

在我的网站上，我有一个“联系我们”页面，其中包含一个网络表单，用户应填写姓名、电子邮件...

编辑:我不知道是否可以在这里发布网站链接，如果需要请告诉我。

编辑:网站链接here .

Answer 1

这是自签名证书的普遍问题，因为您网站的访问者或其浏览器无法验证您的服务器的身份。这样做的原因是，没有签署它的证书颁发机构，因此浏览器没有在链接到您的证书的信任链中的(根)证书。

这个自签名证书的问题在 post 中得到了很好的解释。

The risks are for the client. The point of the SSL server certificate is that it is used by the client to know the server public key, with some level of guarantee that the key indeed belongs to the intended server. The guarantee comes from the CA: the CA is supposed to perform extensive verification of the requester identity before issuing the certificate.

When a client (the user and his Web browser) "accepts" a certificate which has not been issued by one of the CA that the client trusts (the CA which were embedded in Windows by Microsoft), then the risk is that the client is currently talking to a fake server, i.e. is under attack. Note that passive attacks (the attacker observes the data but does not alter it in any way) are thwarted by SSL regardless of whether the CA certificate was issued by a mainstream CA or not.

On a general basis, you do not want to train your users to ignore the scary security warning from the browser, because this makes them vulnerable to such server impersonation attacks (which are not that hard to mount, e.g. with DNS poisoning). On the other hand, if you can confirm, through some other way, that the certificate is genuine that one time, then the browser will remember the certificate and will not show warnings for subsequent visits as long as the same self-signed certificate is used. The newly proposed Convergence PKI is an extension of this principle. Note that this "remembered certificate" holds as long as the certificate is unchanged, so you really want to set the expiry date of your self-signed certificate in the far future (but not beyond 2038 if you want to avoid interoperability issues).

It shall be noted that since a self-signed certificate is not "managed" by a CA, there is no possible revocation. If an attacker steals your private key, you permanently lose, whereas CA-issued certificates still have the theoretical safety net of revocation (a way for the CA to declare that a given certificate is rotten). In practice, current Web browser do not check revocation status anyway.