保护Web服务器免受Safari中的MITM攻击 [英] Securing web server against MITM attack in Safari

问题描述

我一直在寻找一种方法来确保我的Web服务器对中间攻击者的安全性.似乎Google Chrome和Firefox可以阻止对服务器的请求，即使我在安全警告后选择了继续发送请求也是如此.我正在使用Charles Proxy来拦截Https通信，而无需在我的Mac上信任Charles Cert，对此进行了测试.

I have been looking for a way to make sure my web server is secure against a man in the middle attack. It does seem that Google Chrome and Firefox work in blocking requests to my server even if I select to advance after the security warning. I am testing this by using Charles Proxy to intercept Https traffic without having trusted the Charles Cert on my Mac.

当我使用Safari运行相同的测试时，如果我选择忽略安全警告，它将让我通过，我希望有一定数量的用户会这样做.因此，似乎需要更多配置来锁定Safari流量.我知道这是可能的，因为当尝试使用相同的场景导航到github.com时，我收到以下消息:

When I run the same tests with Safari it will let me through if I chose to ignore the secure warning, which I expect a certain number of users to do. So it seems there is more configuration needed to lock down Safari traffic. I know this is possible because when trying to navigate to github.com with the same scenario I get the following message:

有人知道GitHub在阻止不受信任的连接上的Safari通信吗?

Does anyone know what GitHub is doing to block Safari traffic on an untrusted connection?

推荐答案

看起来像 Safari支持 HSTS ，而github正在使用它.他们的HTTP响应包含以下标头:

Looks like Safari is supporting HSTS and that github is using it. Their HTTP response contains the following header:

Strict-Transport-Security:max-age=31536000; includeSubdomains; preload

通过这种方式，支持HSTS的浏览器知道，在可预见的时间内，只能使用https访问该站点，并且仅使用http的任何尝试都会被浏览器自动升级.

This way a browser supporting HSTS knows that for the foreseeable time this site should only be visited with https and any attempts to use http only will automatically be upgraded by the browser.

除了基本的HSTS(仅在首次访问站点github后才起作用)，还添加了preload指令.这告诉浏览器制造商，github喜欢包含在浏览器附带的预加载HSTS列表中，因此即使用户从未访问过该站点，浏览器也可以应用HSTS.有关更多信息，请参见 HSTS预加载.

Apart from basic HSTS which only works after the first visit of the site github also adds the preload directive. This tells browser makers that github likes to be included in the preloaded HSTS list shipped with the browsers, so that the browser applies HSTS even if the site was never visited before by the user. See HSTS Preloading for more information.

这篇关于保护Web服务器免受Safari中的MITM攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！