我正在阅读 Firesheep并想知道如何保护我的 Spring MVC 3.0 站点免受这样的攻击:
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
Spring MVC 中是否有特定的配置设置可以帮助防止此类攻击?
根据文章:
The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL.
我有一个在 Google App Engine 上运行的 Spring 网站。这是否意味着如果我想避免这种攻击,我需要使用 Google 帐户身份验证而不是 Spring 提供的内置身份验证?
最佳答案
firesheep 的全部意义在于身份验证机制不是唯一的问题。大多数系统使用 HTTPS 保护身份验证步骤,但不保护与用户的后续交互。无论您使用哪种身份验证机制,您都应该确保涉及登录用户的所有交互都通过 HTTPS 进行。这在 App Engine 中是可能的,但前提是您在应用程序的 appspot 域 (myapp.appspot.com) 之外提供服务。
关于java - 我是否需要使用 Google 帐户身份验证而不是 Spring 身份验证来避免 Firesheep cookie 嗅探攻击?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/4014128/