它是可能的,如果这是不可能的网站将有一个SSL证书保护的应用程序? [英] Is it possible to secure an application if it is unlikely that the website will have an SSL certificate?
问题描述
我们生活在一个字preSS博客,网站的Joomla,和自从商店,用户通过纯文本通过Internet发送自己的用户名和密码经常登录到自己的安全的管理领域的世界。我们都知道这是很糟糕的,但从来没有人似乎提升自己的站点使用SSL / TLS和开发商是在良好的老HTTP工作相当满意决策的应用程序。
根据应用的不同,必须有其人不认为这是值得任何实现更高的安全性措施来保护自己的资产呢?如果选择是:
- 无安全性可言
- +),反正谁在乎呢?
- - )见证垃圾帖子和
罗伯特'); DROP TABLE学生;
- 从默默无闻安全
- +),只有特定的人都知道去哪个网址
- - ),这只是一个时间的问题...
- 验证使用用户名只
- +)好吧,如果用户名是模糊和构建良好
- - )蛮力攻击是太有效
- 验证用户名和密码
- +)略高于只是一个更好的用户名
- - )略高于只是一个更好的用户名
- 验证用户名和密码的哈希
- +)prevents数据库黑客窃取密码列表
- - )如果有人能破解你的数据库,你不应该担心明文密码
- 用JavaScript加密验证(见的Javascript非对称加密和认证)
- +)来自纯文本发送prevents用户名和密码
- - )一个人在中间可以拦截JavaScript和反正窃取您的密码
- 请上述任何通过SSL
- +)prevents中间人攻击
- - )如果在此确定黑客,他们会找到另一种方式来让你失望
如果前5个都是容易让你的平均维基百科阅读器工作了,6号的需求只是有点更多的知识和黑客忽略号7移动到其他漏洞,这些都不是真正以保证绝对的和平令人满意的方式的想法。
问题:
- 什么级别的安全性,是您的Word平均preSS的博客,或phpBB论坛? 切断点
- 为什么用户名+密码变得如此prevalent?
- Web应用程序开发者应该如何创造未来的应用,因为他们知道一个SSL cerrtificate可能并不总是可用?
- 是否有真的,如果它要通过http? 来使用一个安全区域设计一个网站的任何一点
-
我总是以盐使用哈希密码。这也很好地实现某种蛮力检查,以阻止那些试图更超过X失败的登录IP地址等。
-
这是一个系统的人都知道。给别人一个32个字符的GUID可能会更好地工作,如果他们能记住它。现在的问题是人们不使用好的密码,并使用相同密码的银行,因为他们对电子邮件做,因为他们为Facebook做的。一个可能的场景:你去乔打击的网站,因为他提供一个免费的铃声,与您共创使用相同的用户账号/密码使用无处不在。乔吹不加密的密码,而不是他用它来尝试访问使用相同的用户名/密码组合不同的银行网站。如果您输入的网站上的电子邮件,并使用相同的密码作为您的电子邮件,那么他可以访问并找出银行,当你从他们那里得到了电子邮件,让你知道你的发言,请大家使用。最薄弱的环节几乎总是不是不够细心用户。
-
一些额外的precautions我采取超越IP检查,强力保护等,是确保用户代理停留在会议的生活一样。这只是一个额外的支票,有助于防止有人暴力破解会话ID ...他们必须也欺骗用户代理完美,这就需要在中间或具有数据库的实时取景的人......这通常是不值得担心。
-
我还没有看到有一个管理区黑,但我所看到的尝试。每个人都知道,他们可以去可湿性粉剂管理员/一个字preSS网站内。如果没有认证,就不会有世界上一个博客,没被垃圾邮件发送者在一夜之间有1000个博客。它可能不会保持了黑客精英和中等男人......但大多数博客不值得为那些家伙的努力。但是,没有任何凭据先给谁可以写一个机器人进入大家的博客任何人。
We live in a world of WordPress blogs, Joomla sites, and osCommerce shops where users routinely log in to their 'secure' admin areas by sending their usernames and passwords over the internet in plain text. We all know that's bad, but no one ever seems to upgrade their site to use SSL/TLS and developers are quite happy making applications that work over good old http.
Depending on the application, there must be a point at which people don't think it's worth implementing any greater security measures to protect their assets? If the choices are:
- No security at all
- +) Who cares anyway?
- -) Witness spam posts and
Robert'); DROP TABLE students;
- Security from obscurity
- +) Only certain people know which URL to go to
- -) It's only a matter of time...
- Authenticate with a username only
- +) Ok if the username is obscure and well constructed
- -) Brute force attacks are too effective
- Authenticate with a username and password
- +) Marginally better than just a username
- -) Marginally better than just a username
- Authenticate with a hash of username and password
- +) Prevents database hackers stealing password lists
- -) If someone can hack your database, you shouldn't be worrying about plain text passwords
- Authenticate with JavaScript encryption (see Javascript asymmetric encryption and authentication)
- +) Prevents usernames and passwords from being sent over plain text
- -) A Man In The Middle could intercept the JavaScript and steal your passwords anyway
- Do any of the above over SSL
- +) Prevents man in the middle attack
- -) If a hacker is this determined, they'll find another way to bring you down
If the first 5 are easy for your average Wikipedia reader to work out, number 6 needs just a bit more knowledge and hackers ignore number 7 to move on to other vulnerabilities, none of these are actually a satisfactory way to guarantee absolute peace of mind.
Questions:
- What level of security is the cut off point for your average WordPress blog, or phpBB forum?
- Why has username + password become so prevalent?
- How should web application developers create future applications, knowing that an SSL cerrtificate might not always be available?
- Is there really any point in designing a site with a 'secure' area if it is going to be used over http?
I ALWAYS use a hashed password with a salt. It is also good to implement some sort of brute force checking to block IPs that attempt more than X failed logins, etc.
It's a system people know. Giving someone a 32 character guid might work better if they could remember it. The problem is people not using good passwords and using the same passwords for banking as they do for e-mail as they do for facebook. A possible scenario: you go to joe blow's site because he's offering a free ringtone, and you create an account using the same user/pass you use everywhere. Joe Blow doesn't encrypt your password, instead he uses it to try to access various banking websites using the same username/password combo. If you entered your e-mail on the site and used the same password as your e-mail, then he can access that and find out what bank you use when you get an e-mail from them letting you know your statement is available. The weakest link is almost always the user not being careful enough.
Some of the extra precautions I take beyond IP checking, brute force protection, etc., is to make sure the user-agent stays the same for the life of the session. It's just one extra check that helps protect against someone brute-forcing session IDs...they'd have to also spoof the user agent perfectly, which would require a man in the middle or someone with a live view of the DB...which isn't usually worth worrying about.
I have yet to have an admin area hacked, but I have seen attempts. Everyone knows that they can go to wp-admin/ inside a wordpress website. If there were no authentication, there wouldn't be a blog in the world that didn't have 1000 blogs by a spammer overnight. It may not keep out the hacker-elites and middle-men...but most blogs aren't worth the efforts for those guys. But not having any credentials would let any guy who can write a bot access everyone's blogs.
这篇关于它是可能的,如果这是不可能的网站将有一个SSL证书保护的应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
