免责声明:如果您是一名黑客,在监控 IP 流量时偶然发现此消息,我们礼貌地指出您的行为是非法的,并要求您假装从未看到过它。< /p>
SSL should be used anywhere where you are communicating information that should not be public. It is a very dangerous assumption to believe that no-one is listening to traffic between your computer and the remote server.
All someone needs to do to snoop traffic is be on your network - they don't need admin access to your router. Without using SSL for sensitive communications, a single machine with a virus on a coworkers computer is all that is needed for stealing your identity.
The ISP also has access to all network traffic - how much do you trust their techies?
Dear User,
We've decided against encrypting our internet traffic because we just don't think it's important. We decided that it's really too hard to monitor internet traffic, so if anyone really is prepared to go to that effort, well they deserve all the data they can get their hands on. If you're using an old style of router, have corrupt IT staff and/or co-workers, or someone just doesn't like you and decides to steal your data, we accept no liability.
We advise against you telling anyone about our decision, as this will direct unwanted attention to our IP traffic.
Kindest Regards,
Good Enough Programming
Disclaimer: If you are a hacker and stumbled across this message while monitoring IP traffic, we politely point out that what you are doing is illegal, and request that you pretend you never saw it.
The problem is that using, say, WPA2 only secures the connection between your computer and the router. There is a large piece of unsecured network between the router and the destination - that's the design of the internet. You don't know who is along the path and there could be any number of malicious (or just nosey) listeners out there. They may not even be in your jurisdiction so preventing eavesdropping may well be impossible.
SSL gives you an encrypted tunnel all the way to the other end.
If you're talking about a small company LAN where no traffic leaves the internal network then sure, don't bother with SSL if you don't want to. But if anything sensitive goes across the internet then you really want to use SSL to stop anyone seeing it. It's all about how important the information is.
One thing to be aware of is that many websites use cookies to remember login information. If those cookies go across the internet in the clear then it is fairly trivial to hijack the session - think FireSheep. Thus, you need to be very careful about what you consider to be "sensitive" information. Given that many business applications are moving to remote servers (I think the young'uns call it "the cloud") this is not a minor issue.
Long story short, use SSL if there is anything you don't want anyone else to see going across a network that is not entirely in your control.
It is somewhat difficult to MITM an unencrypted connection, but not so hard on the unencrypted wireless network you gave as an example. Any network that allows you to ARP spoof (many switched wired networks) allows you to MITM as well. But you're forgetting about every router along the way. Remember a few months back when a (hopefully) poorly configured router in China routed a significant, though small in relative terms, portion of Internet traffic? They could've seen your plaintext. So can other customers on a cable network, and so on.
But SSL also provides authentication. If I get the private key to a valid SSL cert from you, I'm damn confident that you are who you say you are - doubly so if it's a competent CA.
But the bigger concern is - you don't quite seem to understand SSL, so I'd advise you against making a decision one way or the other by yourself - at least until you read more. SSL does not require you to generate a new key every request, and in fact would not work if it did. Furthermore, any reasonably-recent computer can handle thousands of SSL requests simultaneously - the algorithms are very fast. Furthermore you can use encryption accelerators that offload the work to a dedicated piece of hardware.
If you think you might need to use SSL to secure some data, and often if you don't, there are almost no reasons to avoid it. Yes there is some expenditure involved but any data of consequence is worth the $300/yr.
EDIT I read your comment - this is a client app? The solution in your case is probably to use self-signed keys, and you can distribute the public key with the app. This allows you to encrypt and verify that you're talking to who you should be.
I don't think that every website needs SSL, if you do then use it, but there are cases where you want to be able to authenticate user without having to use SSL.
I've created (javascript->perl) single use random hash authentication for just this purpose.
One of the things most people here are forgetting to address is what do you consider sensitive data? What one person considers boring useless data may be considered highly confidential by someone else, or vice versa. So what are you going to do? Use SSL on all the data to play it safe so that you don't get sued? Get real. Take a chat program for example. Most would agree that encrypting the username and password would be important, but what about the chat text itself? Most chat is mundane stuff and eliminating SSL will provide better performance. Personally, I would let the end user decide what is important and then provide SSL for only those types of information that they feel needs to be encrypted. That's what Google does with Gmail. You have the choice of using SSL or not.
发布评论
评论(5)
SSL 应该用在您传递不应该公开的信息的任何地方。认为没有人在监听您的计算机和远程服务器之间的流量是一个非常危险的假设。
想要窥探流量的人只需在您的网络上即可 - 他们不需要对您的路由器进行管理员访问。如果不使用 SSL 进行敏感通信,只需一台同事计算机上带有病毒的机器即可窃取您的身份。
ISP 还可以访问所有网络流量 - 您对他们的技术人员有多信任?
SSL should be used anywhere where you are communicating information that should not be public. It is a very dangerous assumption to believe that no-one is listening to traffic between your computer and the remote server.
All someone needs to do to snoop traffic is be on your network - they don't need admin access to your router. Without using SSL for sensitive communications, a single machine with a virus on a coworkers computer is all that is needed for stealing your identity.
The ISP also has access to all network traffic - how much do you trust their techies?
问题在于,使用 WPA2 等方式只能保护计算机和路由器之间的连接。路由器和目的地之间有一大片不安全的网络——这就是互联网的设计。您不知道谁在路上,并且可能有任意数量的恶意(或只是爱管闲事的)听众。他们甚至可能不在您的管辖范围内,因此防止窃听很可能是不可能的。
SSL 为您提供一条一直到另一端的加密隧道。
如果您谈论的是小型公司 LAN,其中没有流量离开内部网络,那么当然,如果您不愿意,就不要使用 SSL。但如果任何敏感内容通过互联网传播,那么您确实需要使用 SSL 来阻止任何人看到它。这完全取决于信息的重要性。
需要注意的一件事是,许多网站使用 cookie 来记住登录信息。如果这些cookies在互联网上畅通无阻,那么劫持会话就相当简单了——想想FireSheep。因此,您需要非常小心您认为的“敏感”信息。鉴于许多业务应用程序正在迁移到远程服务器(我认为年轻人称之为“云”),这不是一个小问题。
长话短说,如果您不希望其他人看到通过不完全由您控制的网络传输的内容,请使用 SSL。
The problem is that using, say, WPA2 only secures the connection between your computer and the router. There is a large piece of unsecured network between the router and the destination - that's the design of the internet. You don't know who is along the path and there could be any number of malicious (or just nosey) listeners out there. They may not even be in your jurisdiction so preventing eavesdropping may well be impossible.
SSL gives you an encrypted tunnel all the way to the other end.
If you're talking about a small company LAN where no traffic leaves the internal network then sure, don't bother with SSL if you don't want to. But if anything sensitive goes across the internet then you really want to use SSL to stop anyone seeing it. It's all about how important the information is.
One thing to be aware of is that many websites use cookies to remember login information. If those cookies go across the internet in the clear then it is fairly trivial to hijack the session - think FireSheep. Thus, you need to be very careful about what you consider to be "sensitive" information. Given that many business applications are moving to remote servers (I think the young'uns call it "the cloud") this is not a minor issue.
Long story short, use SSL if there is anything you don't want anyone else to see going across a network that is not entirely in your control.
SSL 提供身份验证和加密。
对未加密的连接进行中间人攻击有点困难,但在您举的未加密的无线网络上则没有那么难。任何允许您进行 ARP 欺骗的网络(许多交换有线网络)也允许您进行 MITM。但您会忘记一路上的每个路由器。还记得几个月前,中国的一个(希望如此)配置不当的路由器路由了相当大的一部分(尽管相对而言很小)的互联网流量吗?他们可能已经看到了您的明文。有线网络上的其他客户也可以如此。
但 SSL 还提供身份验证。如果我从您那里获得有效 SSL 证书的私钥,我非常有信心您就是您所说的人 - 如果是有能力的 CA,则更是如此。
但更大的担忧是 - 您似乎不太了解 SSL,所以我建议您不要自己以一种或另一种方式做出决定 - 至少在您阅读更多内容之前。 SSL不要求您在每次请求时生成一个新密钥,事实上,如果这样做的话也不会起作用。此外,任何较新的计算机都可以同时处理数千个 SSL 请求 - 算法非常快。此外,您可以使用加密加速器将工作卸载到专用硬件上。
如果您认为您可能需要使用 SSL 来保护某些数据,而且通常情况下您不需要,那么几乎没有理由避免使用它。是的,涉及一些支出,但任何结果数据都值得每年 300 美元。
编辑我阅读了您的评论 - 这是客户端应用程序?您的情况的解决方案可能是使用自签名密钥,并且您可以使用应用程序分发公钥。这允许您加密并验证您正在与您应该是谁交谈。
SSL provides authentication and encryption.
It is somewhat difficult to MITM an unencrypted connection, but not so hard on the unencrypted wireless network you gave as an example. Any network that allows you to ARP spoof (many switched wired networks) allows you to MITM as well. But you're forgetting about every router along the way. Remember a few months back when a (hopefully) poorly configured router in China routed a significant, though small in relative terms, portion of Internet traffic? They could've seen your plaintext. So can other customers on a cable network, and so on.
But SSL also provides authentication. If I get the private key to a valid SSL cert from you, I'm damn confident that you are who you say you are - doubly so if it's a competent CA.
But the bigger concern is - you don't quite seem to understand SSL, so I'd advise you against making a decision one way or the other by yourself - at least until you read more. SSL does not require you to generate a new key every request, and in fact would not work if it did. Furthermore, any reasonably-recent computer can handle thousands of SSL requests simultaneously - the algorithms are very fast. Furthermore you can use encryption accelerators that offload the work to a dedicated piece of hardware.
If you think you might need to use SSL to secure some data, and often if you don't, there are almost no reasons to avoid it. Yes there is some expenditure involved but any data of consequence is worth the $300/yr.
EDIT I read your comment - this is a client app? The solution in your case is probably to use self-signed keys, and you can distribute the public key with the app. This allows you to encrypt and verify that you're talking to who you should be.
我不认为每个网站都需要 SSL,如果需要的话就使用它,但有些情况下您希望能够在不使用 SSL 的情况下对用户进行身份验证。
为此,我创建了(javascript->perl)单次使用随机哈希身份验证。
http://www.furiousgryphon.com/jauthenticatedemo.html
https://github.com/thomasoeser/jAuthenticate
I don't think that every website needs SSL, if you do then use it, but there are cases where you want to be able to authenticate user without having to use SSL.
I've created (javascript->perl) single use random hash authentication for just this purpose.
http://www.furiousgryphon.com/jauthenticatedemo.html
https://github.com/thomasoeser/jAuthenticate
这里大多数人忘记解决的问题之一是您认为什么是敏感数据?一个人认为无聊无用的数据可能被其他人认为是高度机密的,反之亦然。那么你要做什么?对所有数据使用 SSL 以确保安全,以免被起诉?变得真实。以聊天程序为例。大多数人都会同意加密用户名和密码很重要,但是聊天文本本身呢?大多数聊天都是平凡的事情,消除 SSL 将提供更好的性能。就个人而言,我会让最终用户决定什么是重要的,然后仅为他们认为需要加密的那些类型的信息提供 SSL。这就是 Google 对 Gmail 所做的事情。您可以选择是否使用 SSL。
One of the things most people here are forgetting to address is what do you consider sensitive data? What one person considers boring useless data may be considered highly confidential by someone else, or vice versa. So what are you going to do? Use SSL on all the data to play it safe so that you don't get sued? Get real. Take a chat program for example. Most would agree that encrypting the username and password would be important, but what about the chat text itself? Most chat is mundane stuff and eliminating SSL will provide better performance. Personally, I would let the end user decide what is important and then provide SSL for only those types of information that they feel needs to be encrypted. That's what Google does with Gmail. You have the choice of using SSL or not.