How evasdopping is performed?_问答_开发者_运维开发者技术经验分享

Everybody recommends to buy a SSL certificate for my website that prevents from many security issues mainly eavesdropping. I read articles on eavesdropping but how eavesdroppin开发者_如何转开发g can hack my website passwords?

Do SSL is strictly required to protect from SSL? or is there any other method to do that?

eavesdropping in context of SSL usually implies a man in the middle attack where a hacker pretends to be your site, then collects information while relaying to your site and the user.

Other options are:

network traffic sniffers like wireshark
stand in as a router and sniff traffic

There are probably more, but this would be a simple answer

Cryptography and security are complex subjects with many subtle challenges, so if you don't feel comfortable and conversant with those, I should warn you against deploying your own security-critical application.

That said, let me just address the issue of encryption and authentication, as provided by SSL: Encryption prevents third parties from learning the content of your conversation. "Third parties" in your context would be anyone from other people in the same internet cafe to anyone along the route between your user and your server. You should essentially consider all unencrypted communication to be publicly posted on a wall.

But encryption alone does not guarantee that the person you are conversing with is in fact the intended partner. An attacker could, with relative ease, link himself into the conversation and pretend to the user to be the server and to the server that he's the user, thus reading everything that's said, encrypting and decrypting each channel as appropriate. To avoid this man-in-the-middle attack, authentication is crucial. This is made possible in one direction by the use of certificates.

That is, if your server has a certificate, then the user can be sure to be talking to the right server. (The client doesn't usually get a certificate, as authentication in that direction is rather performed higher up in the flow.) But it all boils down to whether your users know your certificate. In principle, you have to supply your server certificate to the user "by reliable means", but there's no general recipe for doing so. (A phone call would be fairly good.) Instead, a "hierarchy of trust" can be invoked by which users trust certificates which are recursively trusted by higher and higher authorities. Since a collection of such trusted root authorities is shipped with most browsers, a purchased certificate with their signature will make your own certificate appear as "trusted" to the user.

Practically, the question is whether users will care about the trustedness of certificates. In the ideal world they would decline all untrusted ones, and you would be forced to obtain a signed certificate. But many contemporary legitimate bodies do use unsigned certificates, so that many users are totally trained to ignore this problem.

That said, you might get away with an unsigned certificate, but by requiring users to trust an untrusted certificate, you are training people to do the Wrong Thing, which may eventually backfire on all of us. Your call.

Did you read about FireSheep at all?

http://codebutler.com/firesheep

FireSheep makes it easy for any Joe Schmoe to steal private data when SSL isn't implemented. Check out any of these news articles:

http://robert.accettura.com/blog/2010/10/26/firesheep-demonstrates-the-need-for-ssl/

http://blogs.computerworld.com/17254/i_hijacked_a_facebook_account_with_firesheep

http://www.geek.com/articles/news/firesheep-firefox-add-on-allows-simple-http-session-hijacking-20101025/

Main Point: If you want to protect your user's data use SSL.

Yes! SSL is strictly required. If you sent plain text over the network hackers can see what you are sending. An encrypted text over the network will give your hashed password to which is much more dangerous. So, you need to send information accross SSL.

Hackers can always use sslstrip to strip ssl from any webpage, banking, paypale, facebook and so on. there for seeing anything that goues across in plan text........ Firesheep is a good tool even a blind person could use it its that easy. but that is more sesion hijacking. this is done by stealing cookies or crafting your own. your web site only uses ssl on login after that it drops encryption and uses a session id number thats in a cookie. steal the cookie your loged in as who ever you stole it from. Firefox has a good add on to craft cookies manualy besides using firesheep.