"此伺服器難以抵禦 CRIME 攻擊。確定您的伺服器已啟用 TLSv1.2 通訊協定並停用 SSL/TLS 壓縮。"
Transport Layer Security (運送層安全,簡稱 TLS) 通訊協定有一個功能 (TLS 壓縮),可以讓您壓縮伺服器和瀏覽器之間傳遞的資料。您使用此功能減少和加密與解密大量資料關聯的頻寬和延遲問題。TLS 壓縮加入 Client Hello 訊息中。加入 TLS 壓縮是選用的。
在 Compression Ratio Info-leak Made Easy (壓縮率使資料容易洩漏) 攻擊中,攻擊者復原秘密通訊 Cookie 的內容,並且使用這些資料刼持經過驗證的 Web 工作階段。攻擊者使用純文字注射和 TLS 壓縮資料洩漏的組合尋找漏洞。攻擊者引誘瀏覽器對網站進行數次連線。然後攻擊者比較瀏覽器在每次交換期間傳送的編碼文字大小,以判斷加密的通訊部份並刼走工作階段。
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.