问题
I'm new to android, I have seen many people hiding their SHA-1 certificate fingerprint. I have developed an app using google play services and shared it with someone. It has my SHA-1 certificate fingerprint in it. Can a hacker do any damage to me by knowing my SHA-1 Certificate.
Thanks.
回答1:
The certificate fingerprint is calculated from the certificate. The certificate itself is public information and transferred in clear during the SSL/TLS handshake. Which makes the fingerprint public information too, i.e. there is usually no danger in having it known by others.
But one could probably construct a situation where this might be dangerous. For example if your application uses the fingerprint to verify that it connects to the correct site and this site is an illegal site and you know this. In this case one could probably try to associate you with illegal activities from the fact that you've included the fingerprint of this certificate in your application.
回答2:
No they can't do any harm to you by knowing this information.
In public key cryptography there are two pieces of information that are used for encryption and decryption of data. Private key, that you have and are not sharing with anyone, and public key. You can share public key with others, so they can send you encrypted data.
SHA1 fingerprint is just fingerprint of that public key, so anyone having your public key, can verify that it is really your key and not someone else.
来源:https://stackoverflow.com/questions/44577162/if-someone-knows-your-sha-1-certificate-fingerprint-how-dangerous-is-that