The first line of defense against cyber security.

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

With the popularization of the Internet, a variety of activities on the network more and more active, but the network security more and more attention, but the first line of security is to login, but also the first step of the hacker attack. The first line of defense is lost, and your station is not yours. How can the member login be safe? There are two security mechanisms available: HTTPS (hypertext transmits Kyoto secure) and photo authentication mechanism (CAPTCHA).

In fact, these two mechanisms have cracked the way, first on the HTTPS, it can be sslstrip attack tactics, for example, when the user clicks on the login page with HTTPS, SSLstrip will modify the site unencrypted response, so that "https into HTTP", You can even display the security lock logo for HTTPS in the browser address bar. The process is as follows:

1. Set iptables switch to HTTP transmission sslstrip. (iptables-t nat-a prerouting-p tcp destination-port 80-j REDIRECT)

2. Open SSLstrip. (Sslstrip.py-l < listenport>)

3. Use ARP spoofing attack. (Arpspoof-i-T)

The process is as follows:

From this point of view, with HTTPS transmission, of course, can not completely block hacker attacks, but the enterprise also need not worry too much, this type of attack has limitations, must be in the same area network environment and use ARP spoofing attack will be successful, therefore, the environment only need to lock the IP and Mac corresponding, You can block this man-in-the-middle attack and do not have to worry about the risk of extended DNS spoofing by ARP spoofing attacks.

As for the photo validation mechanism (CAPTCHA), it can generally be used to block the following situations:

First, enumerate attacks (also known as attempted attacks, login, registration, or password reset forms are often vulnerable to enumeration attacks, if the image validation mechanism is not used, attackers can get a valid account or other sensitive information in a short period of time), or brute force attack.

Second, in a short period of time to automatically send a lot of unwanted get/post requests (for example: SMS/Email flooding), CAPTCHA can achieve the speed limit function.

Third, automatically establish the use of online services account.

Iv. Acts for commercial promotion, harassment or sabotage.

V any automatic attack that collects or abuses sensitive information from an application.

And the image verification mechanism to crack the way there are two, one is the use of the program first to strengthen the contrast, sharpening, and then through the graphic comparison can restore the figures in the picture. Two is to do through manual, the work of manual decoding code is called the Code task (Captcha Human Bypass), which is said another hacker economy, but this is the coolie alive.

From the member login mechanism of attack and defense two sides, picture verification code is just the first line of defense! Defensive side can be designed, when the attempt to login failed a certain number of times, automatically lock the account usage rights, or block the source IP, so that the source of IP inaccessible services, although the hackers can go to find chickens or proxy change IP, But it always takes a while. In other words, although the image verification mechanism can not completely prevent hacker attacks, but if the combination of monitoring system, increase the difficulty of hacking attacks, delay hackers to crack the success of the time, as long as can be postponed to the year, most hackers will give up the platform to attack.

No one security mechanism can do hundred hundred security, but as long as the matching, can enhance the security intensity, to the member login mechanism, in addition to HTTPS and picture authentication code, can also use dynamic password (one-time password), increase the strength of identity authentication mechanism, The more secure design is, in the authentication, in addition to the account number, password, but also to enter the OTP password, at this time even if OTP was obtained by others, as long as the two previous information is not a leak, you can reduce the risk of being cracked. By the website space www.435dns.com the publication, the first A5 station, reprint please specify