我正在向https服务器发送GET和POST请求,我搜索了一些使用https ssl的教程,并找到了各种过时的教程
所以现在我想知道我的书面代码是否安全或者根本不安全
final URL url = new URL(inputURL);
final HttpsURLConnection conn_get = (HttpsURLConnection) url.openConnection();
SSLSocketFactory sslSocketFactory = createTrustAllSslSocketFactory();
conn_get.setSSLSocketFactory(sslSocketFactory);
in = new BufferedInputStream(conn_get.getInputStream());
...
和SSLSocketFactory
private static SSLSocketFactory createTrustAllSslSocketFactory() throws Exception {
TrustManager[] byPassTrustManagers = new TrustManager[]{ new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
public void checkClientTrusted(X509Certificate[] chain, String authType) {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) {
}
}};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, byPassTrustManagers, new SecureRandom());
return sslContext.getSocketFactory();
}
为了安全起见,我是否应该更改某些内容?
答案 0 :(得分:2)
所以现在我想知道我的书面代码是否安全还是根本不安全
这是不安全的,因为您盲目地接受所有SSL证书,甚至是欺诈性证书。您的应用will not be allowed to ship on the Play Store以及某些国家/地区you might be sued by the government。
我应该改变什么
保留以下内容:
final URL url = new URL(inputURL);
final HttpsURLConnection conn_get = (HttpsURLConnection) url.openConnection();
in = new BufferedInputStream(conn_get.getInputStream());
删除其他所有内容。