web| securely establishes an encrypted connection, requiring only the server to obtain certificates issued by authorities such as VeriSign. But encryption can only prevent an attacker from seeing a site send
and received data, it does not prevent attackers from forging identities and malicious attacks on the site.
Second, legitimate visitors disguised as a Web site
Now we know how to identify a Web site, but how does a site identify its visitors? Here we go on to discuss the problem.
Most Web servers support two password Authentication schemes: Basic Password Authentication and classified password authentication. Two programs are sent to the browser by sending the authentication signal
Yes. When the browser first receives the authentication signal, it displays a dialog box asking the user's name and password. In the Basic authentication mode, browsers use a simple text
This form is passed to the user name and password. In the classified authentication mode, the browser transmits the message class for the username and password. If the server sends its confirmation, the browser
The login information is stored.
If you implement these authentication schemes with simple settings on the Web server, you do not need to add any code in your Web application.
An attacker's listening problem: If a visitor sends his user name and password in a simple text form, it is easy for an attacker to capture this information. Transfer
User information using SSL can easily solve this problem. As shown in the following example.
User ID: < input type= "text" name= "user" >
Password: < input type= "Password" name= "Password" >
If an attacker cannot listen to the communication between the Web site and the visitor, he will take a more despicable approach-disguised as your legitimate visitor. caused this
The cause of the situation is usually caused by the visitors themselves, because most network users are not very careful in the selection of passwords, their passwords are generally not very Ann
All. They like to use the same username and password when they log on to each site.
The way to solve this problem is for visitors to use a secure password when registering an account. Web sites have the best ability to prevent visitors from setting English words as secret
Code, it can advise users to use a combination of numbers and letters of the password.
Third, disguised as a Web site administrator
When a visitor logs on to your site, you will keep their identity valid until they leave the site. So how do you implement this function? Because
A permanent connection is not established between the browser and the server, so the server will only establish a separate connection after each page request is received.
How does the server confirm the identity of the user after a successful login?
The answer is that the browser saves the user's name and password. When the browser and the server connect again, the browser passes the user name and password that you have already stored.
The server uses the user database to verify this information and makes the decision to allow and deny access on this basis.
As we mentioned earlier, the browser confirms the identity of the server by comparing the URL with the public name of the digital certificate of the server. This is a good web
Security precautions. But it can't avoid all the attacks of the camouflage server.
The Domain Name Service system (DNS) resolves an easily readable URL (for example, www.yourunit.com) to an IP address, which is an easy hit in your secure link.
Click on the link. If an attacker accesses a DNS server and modifies a record pointing to his machine, the machine can take all of the
All requests to the www.yourunit.com site are redirected to www.attacker.com. In redirection, the visitor's browser displays the default address suffix. Such as
The string is so long that www.attacker.com is not in sight and most visitors will not notice it.
If an attacker gets a digital certificate issued by VeriSign for Www.attacker.com, the visitor's browser will and www.attacker.com establish a legal
The connection. If the visitor does not check the digital certificate, he will not know that he is on a hacker site. If the attacker had disguised his site as
Www.attacker.com Login interface, he can capture the customer's bank credit card account.
