First of all, this is a big proposition, before the top Internet company in charge of a few external service development, but also a little experience, I try to answer:
In the Internet environment, security issues I mainly divided into the following categories:
Hackers steal information during transmission
Security of the server itself
Security of server-side data
First, if you can use HTTPS, as far as possible with HTTPS, can use Nginx and other common server, the use of common servers, mainly to avoid the following problems:
Self-implemented protocol &server may have various bugs, buffer overflow attacks, etc.
SSL encryption system is mature enough for monitoring and trustworthy
Fortunately, the attack on private protocol services requires a hacker analysis protocol, which adds a layer of protection to the general small service. But if you work in a big company, tall tree catches must at least be theoretically free of security loopholes. God horse, Xor confuse a bit, C/s End write dead a symmetric key this kind of deceiving thing don't do, otherwise will die of difficult to see.
If you need to implement the server side, the implementation of a set of qualified SSL is very test of the foundation:
The first thing to understand is the principle of SSL encryption system key exchange
A deep understanding of symmetric and asymmetric cryptographic algorithms
How to implement a set of key exchange system with asymmetric encryption algorithm
How to handle CA certificates and how to avoid man-in-the-middle attacks in self-signed situations
In the process of project realization, we should consider:
Various possible buffer overflow attacks
SYN flood attack, slow connection attack
DDoS defense is difficult, but at least it can defend against Dos attacks.
At the business logic level, consider:
User & permission verification for each interface
The interface will not be used by people, replay attack
The attacker will not find an interface that consumes server-side resources, exhausting the server resources at a very small cost
User's username password will not be broken through the interface, see: Celebrity photo hack
Your service will not be exploited by hackers to attack other services, especially what resources will be crawled according to user input services
An ancient SQL injection
Shameless phishing services, DNS fraud
Involving the HTML, but also to consider the cross-site ...
Even if you do it seamlessly, consider that teammates sometimes drop the chain:
GLIBC, OpenSSL these underlying libraries can also be exploited, see: Heartbleed
Other services on the same host are compromised
I've never stepped on a lot of pits, I know a lot of things. After writing it, the whole person is not good.
Welcome to join reboot Operation Development thousand people (365534424) Technical exchange sharing every day has
This article is from the "Reboot DevOps Development" blog, please be sure to keep this source http://opsdev.blog.51cto.com/2180875/1669512
What security issues should be considered in the implementation of the TCP socket server in the Internet?