Gmail和Facebook个人资料专用的HTTPS:容易受到攻击吗?
[英]Gmail and Facebook Profile-specific HTTPS: Vulnerable?
问题描述
I've begun to wonder about something: 
我开始想知道一些事情:
Given that Gmail and Facebook use HTTPS on a per-profile basis, and that they don't use it by default, are connections to them vulnerable? 鉴于Gmail和Facebook基于配置文件使用HTTPS,并且默认情况下不使用HTTPS,与它们的连接是否容易受到攻击?
I'm not familiar at all with the protocols involved, but my reasoning goes like this: the browser needs to figure out whether or not to use HTTPS, and by default, it doesn't. 我对所涉及的协议一点都不熟悉,但是我的推理是这样的:浏览器需要弄清楚是否使用HTTPS,默认情况下不需要。 That means that whenever I point my page to Facebook.com, my browser sends some piece of information (perhaps a session ID?) over an unencrypted channel to Facebook, before figuring out whether or not I've requested HTTPS. 这意味着,每当我将页面指向Facebook.com时,我的浏览器都会通过未加密的通道将一些信息(也许是会话ID?)发送到Facebook, 然后再确定是否请求HTTPS。 (Please correct me if I'm wrong, but I don't believe it uses a secure connection for sending this.) (如果我记错了,请纠正我,但我不认为它使用安全连接发送此消息。)
Doesn't this mean that anyone could hijack the session ID in the middle of the unsecure connection? 这是否意味着任何人都可以在不安全的连接中间劫持会话ID? Is this a potential vulnerability? 这是潜在的漏洞吗?
2 个解决方案
解决方案1
3 已采纳 2011-02-19 05:06:52
Cookies that use the Secure flag are sent only via HTTPS. 使用Secure标志的Cookie仅通过HTTPS发送。 So it is possible to always redirect HTTP to HTTPS and avoid sending session cookies over HTTP before the redirection but I wouldn't count on it so I would never connect with Gmail using http://mail.google.com/ - only https://mail.google.com/ 因此,可以始终将HTTP重定向到HTTPS,并避免在重定向之前通过HTTP发送会话Cookie,但我不会指望它,因此我永远不会使用http://mail.google.com/-仅使用https与Gmail连接: //mail.google.com/
Actually I just checked and Gmail seems to set 6 cookies - only 3 of which are secure. 实际上,我刚刚检查过,Gmail似乎设置了6个cookie-其中只有3个是安全的。 When you visit http://mail.google.com/mail/ your browser actually sends your email address in cleartext for everyone to see before you get redirected to HTTPS. 当您访问http://mail.google.com/mail/时,浏览器实际上以明文形式发送您的电子邮件地址,以供所有人查看,然后再重定向到HTTPS。
As for the security of Facebook... I recommend watching the "How I met your girlfriend" talks by Samy Kamkar at Defcon (shorter) and at Blackhat (longer). 至于Facebook的安全性...我建议观看Samy Kamkar 在Defcon (较短)和Blackhat (较长)上的“我如何认识你的女朋友”的演讲。
Update to avoid confusion in the comments: Samy Kamkar explained a method to guess the Facebook session cookie so HTTPS doesn't matter at all here. 更新以避免评论中的混乱: Samy Kamkar解释了一种猜测 Facebook会话cookie的方法,因此HTTPS在这里完全无关紧要。 The point is that you can use HTTPS only and still be vulnerable to session hijacking. 关键是您只能使用HTTPS,并且仍然容易受到会话劫持的影响。
解决方案2
2 2011-02-19 05:37:34
Both of these are secure and do not expose session IDs 这两个都是安全的,并且不公开会话ID
- User browses to http://www.facebook.com 用户浏览到http://www.facebook.com
- User types in username and password which submits to https://www.facebook.com/ ... 用户输入提交到https://www.facebook.com/的用户名和密码...
The facebook servers have securely received the username/password from step 2, validate the user, and check the database to see if this user requests SSL only traffic.
facebook服务器已从步骤2安全地接收到用户名/密码,请验证用户并检查数据库以查看该用户是否仅请求SSL流量。 If the user has SSL only traffic selected, facebook sets the secure bit in the cookie that contains the user's session ID only allowing it to be sent over secure connections. 如果用户选择了仅SSL流量,facebook将在cookie中设置包含用户会话ID的安全位,仅允许通过安全连接发送它。 All of the links facebook returns to that user are https:// links so each connection is encrypted. facebook返回给该用户的所有链接均为https://链接,因此每个连接均被加密。 Nowhere in this process is the session ID exposed
在此过程中,没有任何地方公开会话ID
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.