Shulou(Shulou.com)06/02 Report--

How to analyze the attack on HTTPS browser session, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The good news about SSL is that most SSL sites run powerful encryption technologies. The bad news is that more than 60% of websites are misconfigured. Qualys's engineering, web application fire wall and SSL director and researcher Ivan Ristic released the results of his study of 120 million registered domain names. Ristic found that 20 million of the registered domain names support SSL, while only 720000 may contain valid SSL certificates. "this is an unusual proportion, but it doesn't really mean that only a small number of websites are using SSL, as far as we know," Ristic said.

More tellingly, more than half of all SSL sites use SSLv2, which is an older version of SSL and is not secure. Only 38 per cent of SSL sites are well configured, while 32 per cent contain previously exposed renegotiation vulnerabilities in the agreement.

At the same time, researcher Robert Hansen and Josh Sokol detailed 24 techniques for exploiting HTTPS/SSL for browsers, using man-in-the-middle attacks. These include cookie poisoning and injecting malicious content into browser tags. Researchers warn that HTTPS does not guarantee the confidentiality and integrity of browsers.

"the sky did not fall, but for now, SSL is quite fragile," Hansen said at the black hat conference. "proper label isolation, cookie sandboxie and so on are needed." He recommends using a separate browser to visit websites that contain sensitive information.

At the same time, Ristic said that although the state of SSL sites is "average" in terms of security, SSL is rarely attacked by attackers. "I don't think SSL is a common attack vector because there are more and more vulnerable objects, and now we should start fixing the SSL problem, which can be fixed."

2/3 of SSL sites use default settings, which makes them vulnerable. "to solve this problem, you should be vigilant and talk to end users or vendors to see if you can achieve better configuration, which may also be a more feasible solution," Ristic said. For example, default support for insecure protocols in SSL servers is a common error problem.

"it only takes 15 minutes to configure the SSL server, select the key size for the certificate, disable the insecure protocol, and disable the insecure password."

Insecure SSLv2 is vulnerable to man-in-the-middle attacks. Although this version of SSL has been disabled in most mainstream browsers, it still runs many SSL sites. "the most sad thing is that more than half of SSL sites support SSL2, which we have known for years to be insecure."

He found that, on the SSL site, there is little or no support for the more secure TLS1.1 and 1.2 protocols.

But the survey found that most SSL sites use powerful encryption technologies, 128bits or more. Overall, according to Ristic, only 38.4% of SSL sites get an An in terms of security and configuration, while only 61.46% get a B or lower. Ristic plans to release all the data from the survey and plans to conduct a survey once a year.

After reading the above, have you mastered how to analyze attacks against HTTPS browser sessions? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.