如何防御 TabNabbing?

发布于 2024-09-06 03:53:13 字数 175 浏览 8 评论 0原文

我非常担心阅读Aza Raskin 的这篇天才帖子

有哪些非浏览器解决方案可以防御 TabNabbing?有吗?

I got very concerned reading this genius post by Aza Raskin.

What are the non-browsers solutions to defend against TabNabbing? Are there any?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

残月升风 2024-09-13 03:53:13

“Tab Nabbing”并不是一种新的攻击,拉斯金先生正在抄袭其他研究人员的工作。 GnuCitizen 的 PDP 早在 2008 年就发现了这一点。

我认为最大的威胁是网络钓鱼。老实说,我认为没有一个好的解决方案来阻止网络钓鱼。我认为这个特殊问题应该由浏览器解决。最终 Firefox 和 Chrome 将会解决这个问题。老实说 SSLStrip 是所有浏览器面临的更大威胁,可以同时使用这种重定向攻击。目前 chrome 有一个形式为 STS 和 Firefox 的形式为 HTTP 无处不在。使用 noscript 还有助于减轻这种重定向攻击。

"Tab Nabbing" is not a new attack, Mr Raskin is ripping off other researchers work. PDP from GnuCitizen discovered this back in 2008.

The biggest threat as I see it is Phishing. To be honest I don't think there is a good solution to stop phishing. This particular issues I think should be fixed by the browser. Eventually Firefox and Chrome will get around to fixing it. To be honest SSLStrip is a bigger threat that all browsers face, which can be used along side this redirection attack. Currently chrome has a fix in the form of STS and Firefox in the form of HTTPs Everywhere. Using noscript will also help mitigate this redirection attack attack.

狼性发作 2024-09-13 03:53:13

可以防止这种情况发生的一件事是双因素身份验证,使用类似的东西RSA 令牌(不幸的是,该国只有一家银行提供此方法)。

RSA 令牌是一个 USB 棒大小的小工具,上面有一个不断变化的序列号,并且它是颁发给您的(每个棒都有不同的数字序列)。当您登录银行网站时,您必须提供登录/密码,以及 RSA 令牌上的当前号码 - 该号码每两分钟更改一次。这意味着,如果坏人收集了您的登录详细信息,他们只有不到两分钟的时间登录您的帐户,然后当前 RSA 序列号就会发生变化,并且捕获的登录详细信息将无法重复使用。

不过,这种 2 因素身份验证并不是灵丹妙药,我没有看到 Google 为你的随机 Gmail 帐户推出此功能,Facebook 也不会。对于金融机构和在线政府部门应该强制执行,这将缩小此类攻击的范围。它是远程访问公司网站门户和远程网络登录常用的保护机制,并且在这方面是相当成功的。

但这仍然没有回答您的问题 - 作为网站作者或所有者,您如何才能防止这种情况发生?您不能,除非您不运行第三方脚本,并定期检查您的页面以确保您没有受到损害并插入了脚本。您永远不应该考虑尝试扫描任何第三方脚本,因为它们可能会被混淆到令人难以置信的程度,而您根本无法扫描。如果您确实运行第三方脚本并且对此有足够强烈的感觉,那么您可能想要设置一台机器,它所做的只是在您的网站上进行自动化 UI 测试 - 这是很容易设置的事情,只需进行一些基本测试即可让其每 30 或 60 分钟测试一次您的实时网站,寻找意想不到的结果。

One thing that will prevent this sort of thing from happening is two factor authentication using something like an RSA token (unfortunately only one bank in this country provides this method).

The RSA token is a little USB stick sized gadget that has a continuously changing serial/sequence number on it, and it is issued to you (each stick has a different sequence of numbers). When you logon to your bank's website, you have to supply you log/pass, and also the current number on the RSA token - that number changes every two minutes. That means that if the bad guys collect your login details they have less than two minutes to login to your account before the current RSA sequence number changes and the captured login details become impossible to reuse.

This 2 factor authentication is not the silver bullet though, i don't see Google rolling this out for your random Gmail account, and neither will Facebook. It should be mandatory for financial institutions and online government departments, this will cut the scope of this type of attack. It is a commonly used protection mechanism for remote access to company website portals and remote network logins, and it is quite successful for this.

This still hasn't answered your question though - how can you as an website author or owner prevent this? You can't, unless you don't run third party scripts, and regularly check your pages to make sure you haven't been compromised and had a script inserted. You should never consider trying to scan any third party scripts, because they can be obfuscated to an incredible degree which you can't possibly scan for. If you do run third party scripts and feel strongly enough about this, then you might want to setp a machine which all it does is automated UI tests on your web site - it is an easy enough thing to set up with some basic tests and just leave it testing your live site every 30 or 60 minutes looking for unexpected results.

友谊不毕业 2024-09-13 03:53:13

正如他建议的那样,使用密码管理器。如果您每次都输入密码,可能会出现很多其他问题。对于密码管理器不起作用的网站,你就完蛋了。客户端证书。

Like he suggests, use the password manager. There are quite a few other problems that can happen if you type your password every time. For sites that the password manager doesn't work, you're screwed. Client certificates ftw.

一桥轻雨一伞开 2024-09-13 03:53:13

我刚刚访问了您提到的页面,我的免费病毒检查程序 (AVG) 立即检测到威胁(我认为他在页面上有一个示例)并警告我存在 Tabnapping 漏洞。

这就是一种简单的可能性

I just visited the page which you mention and my free virus checker (AVG) immediately detected a threat (I presume that he has an example on the page) and warned me of a Tabnapping Exploit.

So that's one, easy, possibility

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文