防止您的网站被网络钓鱼的最佳方法是什么?

发布于 2024-09-01 23:02:43 字数 62 浏览 12 评论 0原文

防止您的网站被网络钓鱼的最佳方法是什么?如果可能的话,请引用一些技术建议和参考文献。

谢谢你!

What are the best ways to prevent your website from being Phished? Please cite some technical suggestions and references if possible.

Thank you!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(8

隐诗 2024-09-08 23:02:44

您可以通过手机短信或电子邮件使用一次性密码(OTP)来防止网络钓鱼攻击。而且您不必在所有登录时都要求 OTP,只要有新 IP,您就可以执行一次。这对于用户来说可以不那么烦人。

You can use one time password(OTP) via mobile sms or email to prevent phishing attack. And instead of asking OTP for all logins, you can do it once whenever there is a new IP. This was it can be less annoying for the user.

只怪假的太真实 2024-09-08 23:02:44

我认为网络钓鱼可能因网站和用户而异。我可以使用不同的域名(例如 gmai1.com(数字 1 不是 l))建立一个新的 Gmail 网站,并将其发送给每个人以登录我的电子邮件。如何预防呢?用户通常必须小心。这里真的很难有灵丹妙药

I think phishing can vary a lot from web site to users. I can set up a new gmail website with a different domain name like gmai1.com (the number 1 not l) and send it to everybody to login to my email. How can you prevent it? The users usally have to be careful. It is really hard to have a silver bullet here

草莓味的萝莉 2024-09-08 23:02:44

讨论使用安全浏览器(不是 IE)以及涉及简单检查的站点验证问题(Firefox 中 URI 旁边的绿色域名“证书”表示已验证站点)。 编辑:这种特殊的方法因此可以击败使用类似印刷字符(西里尔字母等)的虚假网站

Talk about using secure browsers (not IE) and about site verification issues that involve simple checking (a green domain name "certificate" next to the URI in Firefox that's green indicates a verified site). Edit: this particular method hence defeats fake sites that use similarly-printed characters (Cyrillic, etc)

怀中猫帐中妖 2024-09-08 23:02:44

BOFA 网站做了一些我非常喜欢的有趣的事情,而且我相信它确实有帮助。他们让你在注册帐户时从集合中选择一个图像图标,每次登录时都会显示该图像......如果图像不相同或不存在,则向用户表明他们正在...... ..

BOFA website does something interesting that I really like, and I do believe it helps. They make you choose an image icon from set when you register your account, and every time when you login it displays this image... if the image is not the same or not present its a sign for the user that they are being ....

月棠 2024-09-08 23:02:44

我不喜欢这个价格标签,也不完全相信它的用处,但是 EV SSL 被吹捧为一种预防措施。

此外,正如 m0s 指出的那样,一些网站(例如银行)正在采取在身份验证过程期间或之后的某个时刻显示用户选择的信息(例如图片)的步骤。

反网络钓鱼工作组有一个针对网络开发人员的解决方案列表

这些都不是万无一失的解决方案,因为真正的关键是用户教育和谨慎,但它们肯定不会造成伤害。

I don't like the pricetag, and I'm not entirely convinced of the usefulness, but EV SSL is touted as a preventative measure.

Also, as m0s points out, showing user-selected information like pictures at some point during or after the authentication process is a step being taken by some sites, like banks.

The Anti-Phishing Working Group has a list of solutions directed towards web developers.

None of these things is a surefire solution, since the real key is user education and caution, but they certainly can't hurt.

来日方长 2024-09-08 23:02:44

结果显示的可能不是网络钓鱼,但我注意到该钓鱼网站的一件事是,有很多 32 个字符长的文件夹,而且这些文件夹很多。在每个文件夹中,您可能会找到网络钓鱼内容。使用以下命令查找名称长度为 32 个字符的文件夹并手动扫描以检查是否为网络钓鱼。

#find /home*/*/public_html/* -type d -name "????????????????????????????????" > phishing.txt

您可以自由使用其他技术,如果您愿意,可以分享。

What result shows may not be phishing but one thing I noticed about the phishing site is that there are many folders with 32 character long and these folders are many. Inside each folder you may find phishing content. Use following command to find the folders with 32 character long name and scan manually to check if it is phishing or not.

#find /home*/*/public_html/* -type d -name "????????????????????????????????" > phishing.txt

You are free to use other techniques and can share if you like.

戴着白色围巾的女孩 2024-09-08 23:02:43

网站不会被钓鱼,而用户会被钓鱼。您最多能做的就是获取 SSL 证书,然后在登录屏幕上大肆宣传金色挂锁和域名(感谢 codeka)等。

Websites aren't phished -- users are. The most you can do is get an SSL certificate and, on your login screen, make a huge deal about golden padlocks and domain names (thanks codeka) and such.

何必那么矫情 2024-09-08 23:02:43

不确定这是否是您的意思,但有时可以使用 CSRFXSS 攻击。

当您允许用户输入任意文本并且不确保他们不输入任意 HTML 代码时,XSS 尤其可能发生。

如果您不确保某人在浏览器中点击的链接源自您的网站,则可能会发生 CSRF(他们可以在您的网站上进行身份验证,获取表明他们已通过身份验证的 cookie,打开新选项卡,并被诱骗点击其他选项卡中的另一个网站指向您的网站并导致在那里发生一些操作)。

这些链接讨论缓解策略。

Not sure if this is what you mean, but sometimes websites can be "hijacked" using CSRF or XSS attacks.

XSS can particularly happen when you allow users to enter arbitrary text and don't ensure they're not entering arbitrary HTML code.

CSRF can happen if you don't ensure a link someone clicks in their browser originated from your website (they can authenticate on your website, get a cookie indicating they're authenticated, open a new tab, and be tricked into clicking a link on another website in the other tab that points to your website and causes some action to happen there).

Those links discuss mitigation strategies.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文