你应该在哪里启用SSL? [英] Where should you enable SSL?
问题描述
我的最后几个项目涉及销售产品/服务的网站,并且需要结帐流程,用户可以在其中输入信用卡信息等。显然,我们获得了SSL证书以确保其安全性,并让客户放心。然而,我对它的细微之处有点无能为力,最重要的是,网站的哪些部分应该使用证书。
My last couple of projects have involved websites that sell a product/service and require a 'checkout' process in which users put in their credit card information and such. Obviously we got SSL certificates for the security of it plus giving peace of mind to the customers. I am, however, a little clueless as to the subtleties of it, and most importantly as to which parts of the website should 'use' the certificate.
例如,我去过网站,当你点击主页时,你被放入https - 主要是银行网站 - 然后有网站,当你最终退房时,你只是放在https。如果不处理银行业务的某些事情,整个网站是否通过https运行是否过度?我应该只进行结账页面https吗?全力以赴的表现是什么?
For example, I've been to websites where the moment you hit the homepage you are put in https - mostly banking sites - and then there are websites where you are only put in https when you are finally checking out. Is it overkill to make the entire website run through https if it doesn't deal with something on the level of banking? Should I only make the checkout page https? What is the performance hit on going all out?
推荐答案
我个人选择SSL来自祸患。
I personally go with "SSL from go to woe".
如果您的用户从未输入信用卡号,请确保没有SSL。
If your user never enters a credit card number, sure, no SSL.
但是,cookie重播存在固有的安全漏洞。
But there's an inherent possible security leak from the cookie replay.
- 用户访问网站并获得一个cookie。
- 用户浏览网站并将数据添加到购物车(使用cookie)
- 用户使用cookie进入付款页面。
这里有一个问题,特别是如果你必须自己处理付款谈判。
Right here there is a problem, especially if you have to handle payment negotiation yourself.
您必须将信息从非安全域传输到安全域,然后再传回,而不保证保护。
You have to transmit information from the non-secure domain to the secure domain, and back again, with no guarantees of protection.
如果你做一些愚蠢的事情就像你使用安全一样用不安全的方式共享同一个cookie,你可能会发现一些浏览器(正确)只会掉落为了安全起见,完全使用cookie(Safari),因为如果有人在公开场合嗅探那个cookie,他们可以伪造它并在安全模式下使用它,将你精彩的SSL安全性降低到0,如果有人详细说明甚至临时存储在会话中,你有一个危险的泄漏等待发生。
If you do something dumb like share the same cookie with unsecure as you do with secure, you may find some browsers ( rightly ) will just drop the cookie completely ( Safari ) for the sake of security, because if somebody sniffs that cookie in the open, they can forge it and use it in the secure mode to, degrading your wonderful SSL security to 0, and if the Card details ever get even temporarily stored in the session, you have a dangerous leak waiting to happen.
如果你不能确定你的软件不容易出现这些弱点,我会建议从一开始就使用SSL,所以他们的初始cookie是在安全的情况下传输的。
If you can't be certain that your software is not prone to these weaknesses, I would suggest SSL from the start, so their initial cookie is transmitted in the secure.
这篇关于你应该在哪里启用SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
