HTTPS是否是开放网络中的会话劫持的唯一防御? [英] Is HTTPS the only defense against Session Hijacking in an open network?
问题描述
因此,使用 Firesheep ,公开Wi-Fi中的每个人都可以使用一键式会话劫持工具。
So with Firesheep, everyone in a public Wi-Fi now has a one-click session hijack tool.
它的工作原理 - 我的理解是,它只是捕获所有的流量,抓住会话cookie(所以它不会窃取密码)。
The way it works - to my understanding - is that it simply captures all traffic and grabs the session cookie (so it doesn't steal passwords).
从我的理解,这也意味着HTTPS安全登录不能单独解决这个问题,因为进一步的HTTP流量将包括会话Cookie再次明文。
From my understanding, this also means that a HTTPS secured login does not solve this alone, as further HTTP traffic would include the Session Cookie in clear text again.
将会话绑定到特定的IP地址是无用的,因为NAT,并且绑定到用户代理很容易欺骗。
Tying the session to a specific IP address is useless thanks to NAT, and tying it to the user agent is easy to spoof.
所以是100%HTTPS次防止这种类型的会话劫持的唯一方法?难道人们只是嗅探整个HTTPS流量包括握手,或者这是东西安全吗? (我在考虑重放攻击,但在该地区没有知识。)
So is 100% HTTPS at all times the only way to prevent this type of session hijacking? Couldn't people simply sniff the entire HTTPS Traffic including the handshake, or is this stuff safe? (I'm thinking of replay attacks, but have no knowledge in that area.)
当然,不使用公共/开放的Wi-Fi网络是更好的选择,但我仍然对网站开发者可以做的保护他/她的用户感兴趣。
Of course, not using public/open Wi-Fi Networks is the better choice, but I'm still interested what a website developer can do to protect his/her users.
推荐答案
Firesheep是新。会话劫持已经存在,只要Web应用程序已经使用会话ID。通常,黑客通过在地址栏中输入以下内容来设置自己的Cookie: javascript:document.cookie ='SOME_COOKIE'。这个工具是为脚本小子恐惧1行JavaScript。
Firesheep is nothing new. Session hijacking has been around for as long as web applications have been using Session IDs. Usually hackers just set their own cookie by typing this into the address bar: javascript:document.cookie='SOME_COOKIE'. This tool is for script kiddies that fear 1 line of JavaScript.
如果您在会话的整个生命周期内都不使用HTTPS,则Cookie可能会被盗用,这是OWASP A9 - 传输层保护不足。但您也可以使用XSS劫持会话。
Cookies can be hijacked if you don't use HTTPS for the entire life of the session and this is a part of OWASP A9 - Insufficient Transport Layer Protection. But you can also hijack a session with XSS.
1) Use httponly cookies.
2)使用安全Cookie (可怕的名称,但它是一个标志,强制浏览器使Cookie仅HTTPS。)
2) Use "secure cookies" (Horrible name, but it's a flag that forces the browser to make the cookie HTTPS only.)
3)扫描您的Web应用程序的XSS。
3) Scan your web application for XSS.
也不要忘记 CSRF ! (Firesheep不处理。)
Also don't forget about CSRF! (Which Firesheep doesn't address.)
这篇关于HTTPS是否是开放网络中的会话劫持的唯一防御?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
