如果网站不太可能拥有SSL证书,是否可以确保应用程序? [英] Is it possible to secure an application if it is unlikely that the website will have an SSL certificate?
问题描述
我们生活在WordPress博客,Joomla网站和osCommerce商店的世界中,用户通过互联网以纯文本形式发送用户名和密码,用户常规登录到他们的安全管理区域。我们都知道这是坏的,但没有人似乎升级他们的网站使用SSL / TLS,开发人员非常高兴使应用程序工作在好的旧http。
在应用上,人们不应该认为值得实施更大的安全措施来保护其资产?如果选择是:
- 没有安全
- + )谁在乎?
- - )看到垃圾邮件和
罗伯特'); DROP TABLE学生;
- 从obscurity安全
< $>
- +)只有某些人知道要访问的网址
- - )这只是一个时间问题...
- 仅使用用户名进行身份验证
- +)如果用户名模糊不清, / li>
- - )强力攻击太有效
- +)如果用户名模糊不清, / li>
- 使用用户名和密码进行身份验证
- +)比只是一个用户名好,
- - )比只是一个用户名好,
- 使用用户名和密码哈希验证
- +)防止数据库黑客窃取密码列表
- - )如果有人可以窃取你的数据库,你不用担心纯文本密码
- 使用JavaScript加密进行身份验证(请参阅 Javascr ipt不对称加密和身份验证)
- +)防止用户名和密码通过纯文本发送
- - )中间的人可以拦截JavaScript并窃取您的密码
- 通过SSL $ b $执行上述任何操作b
- +)防止中间人攻击
- - )如果一个黑客是这样确定的,他们会找到另一种方法让你失望
如果前5个人对于你的普通维基百科读者来说很简单努力工作,6号需要更多的知识和黑客忽略第7号移动到其他漏洞,这些都不是一个令人满意的方式来保证绝对安心。
问题:
- 平均WordPress博客或phpBB论坛是什么级别的安全漏洞?
- 为什么用户名+密码变得如此流行?
- ld web应用程序开发人员创建未来的应用程序,知道SSL cerrtificate可能并不总是可用?
- 如果要设计一个具有安全区域的站点真的有点要被用于http?
-
我一直使用带有盐的散列密码。执行某种强力检查来阻止尝试超过X次登录失败等的IP也是很好的。
-
这是一个人们所熟悉的系统。给某人一个32字符的guid可能会更好的工作,如果他们可以记住它。问题是人们没有使用好的密码,并且像Facebook一样使用与电子邮件相同的银行密码。一个可能的情况:你去joe blow的网站,因为他提供了一个免费的铃声,你创建一个帐户,使用你所使用的相同的用户/通行证。 Joe Blow不会加密您的密码,而是使用它来尝试使用相同的用户名/密码组合访问各种银行网站。如果您在网站上输入了电子邮件,并使用与您的电子邮件相同的密码,那么他可以访问该邮件,并找到您在收到来自他们的电子邮件时使用的银行,让您了解您的声明。最弱的环节几乎总是用户不够细心。
-
除了IP检查,强力保护等之外,我采取的一些额外的预防措施是以确保用户代理在会话的整个生命周期内保持不变。这只是一个额外的检查,有助于防止某人暴力的会话ID ...他们也必须完美地欺骗用户代理,这将需要一个中间的人或具有数据库的实时视图的人...这通常不值得担心。
-
我还没有管理区域被黑客入侵,但我看到了尝试。大家都知道他们可以去一个wordpress网站的wp-admin /如果没有认证,世界上不会有一个垃圾邮件发送者没有一千个博客的博客。它可能不会阻止黑客精英和中间人...但大多数博客不值得为这些家伙努力。但是没有任何凭据会让任何一个可以编写机器人的人访问每个人的博客。
We live in a world of WordPress blogs, Joomla sites, and osCommerce shops where users routinely log in to their 'secure' admin areas by sending their usernames and passwords over the internet in plain text. We all know that's bad, but no one ever seems to upgrade their site to use SSL/TLS and developers are quite happy making applications that work over good old http.
Depending on the application, there must be a point at which people don't think it's worth implementing any greater security measures to protect their assets? If the choices are:
- No security at all
- +) Who cares anyway?
- -) Witness spam posts and
Robert'); DROP TABLE students;
- Security from obscurity
- +) Only certain people know which URL to go to
- -) It's only a matter of time...
- Authenticate with a username only
- +) Ok if the username is obscure and well constructed
- -) Brute force attacks are too effective
- Authenticate with a username and password
- +) Marginally better than just a username
- -) Marginally better than just a username
- Authenticate with a hash of username and password
- +) Prevents database hackers stealing password lists
- -) If someone can hack your database, you shouldn't be worrying about plain text passwords
- Authenticate with JavaScript encryption (see Javascript asymmetric encryption and authentication)
- +) Prevents usernames and passwords from being sent over plain text
- -) A Man In The Middle could intercept the JavaScript and steal your passwords anyway
- Do any of the above over SSL
- +) Prevents man in the middle attack
- -) If a hacker is this determined, they'll find another way to bring you down
If the first 5 are easy for your average Wikipedia reader to work out, number 6 needs just a bit more knowledge and hackers ignore number 7 to move on to other vulnerabilities, none of these are actually a satisfactory way to guarantee absolute peace of mind.
Questions:
- What level of security is the cut off point for your average WordPress blog, or phpBB forum?
- Why has username + password become so prevalent?
- How should web application developers create future applications, knowing that an SSL cerrtificate might not always be available?
- Is there really any point in designing a site with a 'secure' area if it is going to be used over http?
I ALWAYS use a hashed password with a salt. It is also good to implement some sort of brute force checking to block IPs that attempt more than X failed logins, etc.
It's a system people know. Giving someone a 32 character guid might work better if they could remember it. The problem is people not using good passwords and using the same passwords for banking as they do for e-mail as they do for facebook. A possible scenario: you go to joe blow's site because he's offering a free ringtone, and you create an account using the same user/pass you use everywhere. Joe Blow doesn't encrypt your password, instead he uses it to try to access various banking websites using the same username/password combo. If you entered your e-mail on the site and used the same password as your e-mail, then he can access that and find out what bank you use when you get an e-mail from them letting you know your statement is available. The weakest link is almost always the user not being careful enough.
Some of the extra precautions I take beyond IP checking, brute force protection, etc., is to make sure the user-agent stays the same for the life of the session. It's just one extra check that helps protect against someone brute-forcing session IDs...they'd have to also spoof the user agent perfectly, which would require a man in the middle or someone with a live view of the DB...which isn't usually worth worrying about.
I have yet to have an admin area hacked, but I have seen attempts. Everyone knows that they can go to wp-admin/ inside a wordpress website. If there were no authentication, there wouldn't be a blog in the world that didn't have 1000 blogs by a spammer overnight. It may not keep out the hacker-elites and middle-men...but most blogs aren't worth the efforts for those guys. But not having any credentials would let any guy who can write a bot access everyone's blogs.
这篇关于如果网站不太可能拥有SSL证书,是否可以确保应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
