Electronic Business Account Login security

CCTV's 3.15 party this year exposed the Wi-Fi hotspot security issues. With the popularity of free Wi-Fi hotspots, many people's accounts have been intercepted by others at risk, in some cases, may even break through the HTTPS protocol to steal the user's account information. Today, a lot of electrical business sites (such as Jingdong, Suning) is the use of HTTPS protocol for data transmission, information so easily captured, then the security of the Internet and how to protect it?

"Ideas for solving problems"

Jingdong and Suning after logging in with HTTPS protocol, the default is no longer using the secure login control (Figure 1). Compared with the HTTP protocol used previously, HTTPS protocol encrypts the data itself in the process of data transmission, and the account information is more secure and reliable. HTTPS is usually in the Advanced TLS1.2 Protocol (Figure 2), and currently, there is no effective method of cracking. So in theory, it's safer and more reliable than a security control.

Originally a secure protocol, proper use can effectively prevent the disclosure of account information. However, because these electrical dealers to consider the user's experience and accurate analysis, and so on, the use of the page is not a pure HTTPS page, but in the page contains other unencrypted HTTP pages and other unsafe resources. Or the use of outdated encryption technology. This causes user accounts to be easily captured.

Knowing the reason for the loss of account information, the solution can be easily found. Of course, the best way to do this is to use a pure HTTPS page for these sites, but that's not something we can solve. So if you think that the network is not very safe, or have doubts, then you can take some security measures, after all, to prevent the heart of people must not.

"How To solve problems"

Retrieve the missing security controls

The password information for the security control login is encrypted and can effectively prevent the password from being captured. The security controls have two aspects: protecting input and encrypting data. Depending on the use of the platform, ActiveX or Java applet implementations can be used. Currently common security logins are commonly used in HTML making pages, and then the ActiveX control is invoked to enter account information, which is often referred to as a security control. If the user clicks the Submit button, the client encrypts the password, and then transmits the encrypted password in the network, which can effectively avoid the disclosure of the user account information.

But it is such a good security tool, for the customer experience better (security controls need to download), many sites do not use the security login control by default, that is, even if you download the security control installed, in the login, there will be no security control options, resulting in many people think that the security control is invalid Thus completely abandoning this effective tool.

In fact, if you use IE debugging mode, many times to switch browser mode, so that the site feel that the client may be in an insecure network environment. The server then makes the secure login control appear again to retrieve the security controls.

First open the browser, press the F12 key, switch browser mode and document mode (Figure 3). After multiple transitions, the security control option appears again (Figure 4). If there is no download, click Download and then use it after the installation is successful (Figure 5). If it has already been installed, it can be used directly.

Mixed browser pull up security controls

If the above method does not work, install a different kernel browser on your computer, alternately starting a different browser, or you can have the security control appear. The author installed on the computer Firefox browser, Google Browser, the security control immediately appeared. It's worth noting that Google's browser's security controls require its own permission to run (Figure 6).

Digital certificate Login

The digital certificate is the network ID card, uses the digital certificate public key encryption information, besides the digital certificate holder, other people cannot decrypt the information. Just like a phone call, a specific phone number, only the holder of the number can receive the call. Therefore, the use of digital certificates issued by the operator login, can effectively avoid the interception of information.

For example, a Alipay digital certificate is one of the credentials used to fund the Alipay account, which encrypts the information and ensures the security of the account and funds (Figure 7). This digital certificate is a personal digital certificate that will be installed on the computer after downloading. It guarantees the security of the account while the local computer is secure, but never install digital certificates on a public computer or on a computer that is not secure. If security is not guaranteed, then discard the digital certificate in this way, otherwise there will be a more serious problem, because this time, the login relies on a digital certificate rather than a password.

Small tip:

Notably, there is another digital certificate that protects only the security of key information changes in the account (Figure 8). After the application of digital certificate, only in the computer installed digital certificate to modify the mobile phone, change payment password and other account security operations. Note that this certificate does not protect the security of the account itself.