SSL和会话劫持/固定 [英] SSL and Session Hijacking/Fixation

问题描述

快速问题。 SSL完全防止会话劫持/固定？谢谢。

Quick question. Does SSL totally prevent session hijacking/fixation? Thanks.

推荐答案

否。劫持可以在例如以下情况下进行：

No. Hijacking may be done for example in these scenarios:

• 被攻击的CA根签名无效的证书。


• 遭到入侵的网域拥有者电子邮件收件匣可让黑客购买网域验证凭证。
li>

• 恶意密钥策略可能会使攻击者获得证书的私钥。


• 客户端计算机上的本地攻击可能使其成为可能查看系统中发生的情况，包括读取会话Cookie，拦截SSL流量，在系统钥匙串中注入假CA根证书等。


• 攻击者在服务器上的入侵


• 客户端库必须验证SSL证书，并拒绝具有无效或过期证书的会话，否则它将被拒绝


• 这可能是因为XSS攻击可能导致cookie被丢弃。网络浏览器应尽量防止这种情况，但你永远不知道所有组件是否按预期工作。

• Hacked CA root signs invalid certificates. The certificate may be used to stage man-in-the-middle attacks.
• Hacked domain owner e-mail inbox makes it possible for the hacker to buy a domain-validated certificate.
• Bad key policies may make it possible for an attacker to gain the private key for the certificate.
• A local attack on the client computer may make it possible to see what's going on in the system, including reading session cookies, intercepting SSL traffic, injecting false CA root certificates in the systems keychain and so on.
• An intrusion by an attacker on the server may be used in any number of ways to intercept traffic, reroute packets or read important system files.
• The client library must validate the SSL certificate and deny sessions with invalid or expired certificates, otherwise it's as trivial to intercept the HTTP traffic as if it where in plain text.
• It may be possible with an XSS attack which gives the cookie away. Web browsers should try to protect against this but you never know if all components works as expected.

这篇关于SSL和会话劫持/固定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！