"此服务器易受 BREACH 攻击。对跨网站请求或者当请求中不存在标头时禁用 HTTP 压缩。和 Crime 漏洞不同,禁用 TLS 压缩无法解决问题。BREACH 会利用基础 HTTP 协议中的压缩。"
“利用超文本自适应压缩算法,进行浏览器侦查和信息窃取 (BREACH)”漏洞的目标是 HTTP 压缩。攻击者利用 HTTP 级别压缩从受 HTTPS 保护的数据提取信息,包括电子邮件地址、安全口令和其他纯文本字符串。
基本而言,攻击者会强迫您的浏览器连接至启用 TLS 的网站。使用 MITM(中间人攻击,他们监控您和网站服务器之间的通信。
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.