HTTPS 是在开放网络中抵御会话劫持的唯一防御措施吗? [英] Is HTTPS the only defense against Session Hijacking in an open network?
问题描述
因此,使用 Firesheep,公共 Wi-Fi 中的每个人现在都拥有一键式会话劫持工具.
So with Firesheep, everyone in a public Wi-Fi now has a one-click session hijack tool.
据我了解,它的工作方式是简单地捕获所有流量并获取会话 cookie(因此它不会窃取密码).
The way it works - to my understanding - is that it simply captures all traffic and grabs the session cookie (so it doesn't steal passwords).
据我了解,这也意味着 HTTPS 安全登录并不能单独解决这个问题,因为进一步的 HTTP 流量将再次以明文形式包含会话 Cookie.
From my understanding, this also means that a HTTPS secured login does not solve this alone, as further HTTP traffic would include the Session Cookie in clear text again.
由于 NAT,将会话绑定到特定 IP 地址是无用的,并且将其绑定到用户代理很容易被欺骗.
Tying the session to a specific IP address is useless thanks to NAT, and tying it to the user agent is easy to spoof.
那么 100% HTTPS 是否始终是防止此类会话劫持的唯一方法?人们不能简单地嗅探包括握手在内的整个 HTTPS 流量,或者这些东西安全吗?(我正在考虑重放攻击,但对此领域一无所知.)
So is 100% HTTPS at all times the only way to prevent this type of session hijacking? Couldn't people simply sniff the entire HTTPS Traffic including the handshake, or is this stuff safe? (I'm thinking of replay attacks, but have no knowledge in that area.)
当然,不使用公共/开放式 Wi-Fi 网络是更好的选择,但我仍然对网站开发人员可以做些什么来保护他/她的用户感兴趣.
Of course, not using public/open Wi-Fi Networks is the better choice, but I'm still interested what a website developer can do to protect his/her users.
推荐答案
Firesheep 不是什么新鲜事.只要 Web 应用程序一直在使用会话 ID,会话劫持就已经存在.通常黑客只是通过在地址栏中输入以下内容来设置自己的 cookie:javascript:document.cookie='SOME_COOKIE'.此工具适用于害怕 1 行 JavaScript 的脚本小子.
Firesheep is nothing new. Session hijacking has been around for as long as web applications have been using Session IDs. Usually hackers just set their own cookie by typing this into the address bar: javascript:document.cookie='SOME_COOKIE'. This tool is for script kiddies that fear 1 line of JavaScript.
如果您在会话的整个生命周期内不使用 HTTPS,Cookie 可能会被劫持,这是 OWASP A9 - 传输层保护不足.但是您也可以使用 XSS 劫持会话.
Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is a part of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.
1) 使用 httponly cookie.
2) 使用安全 cookie"(可怕的名字,但它是一个强制浏览器使 cookie 仅 HTTPS.)
2) Use "secure cookies" (Horrible name, but it's a flag that forces the browser to make the cookie HTTPS only.)
3) 扫描您的 Web 应用程序以查找 XSS.
3) Scan your web application for XSS.
也不要忘记 CSRF!(Firesheep 没有提到.)
Also don't forget about CSRF! (Which Firesheep doesn't address.)
这篇关于HTTPS 是在开放网络中抵御会话劫持的唯一防御措施吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
