"此服务器易受 CRIME 攻击。确保对服务器启用 TLSv1.2 协议并且禁用 SSL/TLS 压缩。"
安全传输层 (TLS) 协议包含一项功能(TLS 压缩)允许压缩在服务器和浏览器之间传递的数据。您使用此功能减少加密和解密大量数据而产生的带宽和延迟问题。TLS 压缩已添加到客户端欢迎消息中。是否包括 TLS 压缩是可选项。
在“Compression Ratio Info-leak Made Easy”攻击中,攻击者恢复秘密验证 Cookie 的内容,并使用此信息劫持经过验证的 Web 会话。攻击者结合使用明文注入和 TLS 压缩数据泄露来入侵漏洞。攻击者引诱浏览器与网站进行多次连接。然后比较浏览器在每次交换期间发送的密文大小,以确定加密通信部分并劫持会话。
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.