使用JavaScript获取用户计算机的独特之处？ [英] Getting something unique about user's computer with JavaScript?

问题描述

以下是这个想法：
如果我能从HTML页面（可能是MAC地址）获得带有JavaScript的计算机的独特之处，那么我可以将此数据用作另一个安全检查吗？
这可能吗？

Here's the idea: If I can get something unique about a computer with JavaScript from an HTML page (probably the MAC address), then can I use this data as another security check? Is that possible?

我不打算在客户端检查计算机，我将把它发送到服务器进行检查。如果没有发送，用户将被阻止。因此，任何开发人员+萤火虫组合都不能绕过它。我只想再发送一个包含用户名和密码的字符串，这对于计算机是唯一的，没有人知道他们是否没有从该计算机进入系统。就像用户自己隐藏的密码一样。

I am not going to check the computer at client side, i am going to send it to server to check. If nothing sent, user will be blocked. So it is not something that any developer+firebug combination can bypass. I just want to send one more string with username and password which is unique to computer and no one else knows if they don't entered to the system from that computer. Like a password hidden from user itself.

推荐答案

• 您可以尝试使用跟踪Cookie ;但请注意，此类机制被视为暂时性的（例如，可以删除cookie）。浏览器中的JavaScript是沙箱，因此无法访问页面外的组件。另请注意，使用JavaScript获得的任何安全感都是虚幻的 - 脚本在客户端运行，可以修改（因此无法判断唯一数据是真实的还是伪造的）或者完全禁用。

  • You can try using a tracking cookie; note however that such mechanisms are considered transient (e.g. cookies can be erased). In-browser JavaScript is sandboxed so that it does not have access to components outside the page. Note also that any feeling of security you'll gain with JavaScript is illusory - the script runs on the client side, where it can be modified (therefore there's no way to tell whether the "unique" piece of data is genuine or faked) or disabled altogether.

    如果您试图阻止随机人员攻击您的应用，您可能希望在尝试失败一定数量后禁用它们。这不会给你带来任何安全感，它更像是一个捕蝇草 - 它会在一定程度上限制烦恼。

    If you're trying to prevent random people from hacking at your app, you may want to ban them after a certain number of failed attempts. This will not get you any security, it's more of a flytrap - it limits the annoyances somewhat.

    最后，如果你想要实际的安全性，请选择HTTPS真实（非自签名）服务器证书和客户端证书 - 参见例如这个用于实施（但是，示例使用自签名服务器证书，这不是很安全。这是一种在浏览器本身中很好实现的机制，它为您提供了一个有点安全的系统（配有安全的密钥库）来识别您的用户（而不是基本上有缺陷的JS安全，或者依赖于用户 - 可读文件）。哦，你的数据在线上加密，这是一个奖励。

    Finally, if you want actual security, go for HTTPS with real (NOT self-signed) server certificates and client-side certificates - see e.g. this for an implementation (that example, however, uses self-signed server certificates, which is not very secure). This is a mechanism that is well-implemented in the browser itself, and provides you with a somewhat secure system (complete with a secure keystore) of identifying your users (as opposed to a fundamentally flawed JS "security", or relying on user-readable files). Oh, and your data is encrypted while on the wire, that's a bonus.

    SSL实际上做的就是你所做的要求：验证客户端计算机是否已向该用户颁发证书。这种机制在浏览器内部工作，而不仅仅在网页内部;因此，与页内JavaScript相比，颠覆这一点要困难得多。它以安全的方式存储一个大的唯一标识符（客户端证书），它可以向服务器证明它实际上具有该标识符 - 这几乎是您的初始要求。

    SSL actually does what you're asking for: verifies that the client machine has a certificate issued to that user. This mechanism works inside the browser, not just inside the webpage; thus, it is much harder to subvert this than an in-page JavaScript. It stores a large unique identifier (clientside certificate) in a secure way, and it can prove to the server that it actually has that identifier - which is pretty much your initial requirement.

    （顺便说一句，使用SSL，数据将在传输过程中受到保护，客户端可以验证服务器的身份;这些不是您的要求，但它们或多或少是必要的，以确保你实际上正在与真实客户和真实服务器交谈）

    (Incidentally, using SSL, the data will be protected in transit, and the client can validate the server's identity; those weren't your requirements, but they're more or less necessary to assure that you're actually talking to the real client and real server)

    这篇关于使用JavaScript获取用户计算机的独特之处？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！