Http 简明教程

HTTP - Security

HTTP 用于互联网上的通信,因此应用程序开发人员、信息提供者和用户应该知道 HTTP/1.1 中的安全限制。本讨论未包含此处提到的问题的确切解决方案,但它确实提出了一些减少安全风险的建议。

HTTP is used for communications over the internet, so application developers, information providers, and users should be aware of the security limitations in HTTP/1.1. This discussion does not include definitive solutions to the problems mentioned here but it does make some suggestions for reducing security risks.

Personal Information Leakage

HTTP 客户端通常能够获得大量个人信息,例如用户名、位置、邮箱地址、密码、加密密钥等。因此,你应该非常小心,避免通过 HTTP 协议将这些信息无意中泄漏给其他来源。

HTTP clients are often privy to large amount of personal information such as the user’s name, location, mail address, passwords, encryption keys, etc. So you should be very careful to prevent unintentional leakage of this information via the HTTP protocol to other sources.

  1. All the confidential information should be stored at the server in encrypted form.

  2. Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes.

  3. Proxies that serve as a portal through a network firewall should take special precautions regarding the transfer of header information that identifies the hosts behind the firewall.

  4. The information sent in the 'From' field might conflict with the user’s privacy interests or their site’s security policy, and hence, it should not be transmitted without the user being able to disable, enable, and modify the contents of the field.

  5. Clients should not include a Referer header field in a (non-secure) HTTP request, if the referring page was transferred with a secure protocol.

  6. Authors of services that use the HTTP protocol should not use GET based forms for the submission of sensitive data, because it will cause the data to be encoded in the Request-URI.

File and Path Names Based Attack

文档应限于HTTP请求返回的文档,仅限服务器管理员预期的那些文档。

The document should be restricted to the documents returned by HTTP requests to be only those that were intended by the server administrators.

例如,UNIX、Microsoft Windows 和其他操作系统将 '..' 作为路径组件以指示高于当前级别的目录。在这样的系统上,如果 HTTP 服务器会在允许访问该 HTTP 服务器可访问的资源之外的资源,则该服务器必须拒绝请求 URI 中的任何此类构造。

For example, UNIX, Microsoft Windows, and other operating systems use '..' as a path component to indicate a directory level above the current one. On such a system, an HTTP server MUST disallow any such construct in the Request-URI, if it would otherwise allow access to a resource outside those intended to be accessible via the HTTP server.

DNS Spoofing

使用HTTP的客户端严重依赖域名服务,因此通常容易受到基于IP地址和DNS名称故意错误关联的安全攻击。因此,客户端在假设IP编号/DNS名称关联的持续有效性时需要谨慎小心。

Clients using HTTP rely heavily on the Domain Name Service, and are thus generally prone to security attacks based on the deliberate mis-association of IP addresses and DNS names. So clients need to be cautious in assuming the continuing validity of an IP number/DNS name association.

如果 HTTP 客户端缓存主机名查找的结果以便实现性能改进,则它们必须观察 DNS 报告的 TTL 信息。如果 HTTP 客户端不遵守此规则,则当以前访问过的服务器的 IP 地址发生改变时,它们可能会受到欺骗。

If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they must observe the TTL information reported by the DNS. If HTTP clients do not observe this rule, they could be spoofed when a previously-accessed server’s IP address changes.

Location Headers and Spoofing

如果一个服务器支持多个互不信任的组织,则它必须检查所生成响应中 Location 和 Content Location 标头的值,以确保它们不会尝试使它们没有权限的资源无效。

If a single server supports multiple organizations that do not trust one another, then it MUST check the values of Location and Content Location headers in the responses that are generated under the control of said organizations to make sure that they do not attempt to invalidate resources over which they have no authority.

Authentication Credentials

现有的 HTTP 客户端和用户代理通常会无限期地保留身份验证信息。HTTP/1.1 没有为服务器提供一种方法来指示客户端丢弃这些缓存的凭据,这是很大的安全风险。

Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1 does not provide a method for a server to direct clients to discard these cached credentials which is a big security risk.

可以通过多种方法解决此问题的各个部分,因此建议在屏幕保护程序、空闲超时以及其他减轻此问题固有安全问题的措施中使用密码保护。

There are a number of work around to the parts of this problem, and so it is recommended to make the use of password protection in screen savers, idle time-outs, and other methods that mitigate the security problems inherent in this problem.

Proxies and Caching

HTTP代理是中间人,代表着中间人攻击机会。代理可以访问与安全性相关的信息、关于个人用户和组织的个人信息、以及属于用户和内容提供商的专有信息。

HTTP proxies are men-in-the-middle, and represent an opportunity for man-in-the-middle attacks. Proxies have access to security-related information, personal information about individual users and organizations, and proprietary information belonging to users and content providers.

代理操作员应保护运行代理的系统,因为他们会保护包含或传输敏感信息的任何系统。

Proxy operators should protect the systems on which proxies run, as they would protect any system that contains or transports sensitive information.

缓存代理提供了额外的潜在漏洞,因为缓存的内容代表恶意利用的有吸引力的目标。因此,缓存内容应作为敏感信息进行保护。

Caching proxies provide additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation. Therefore, cache contents should be protected as sensitive information.