Vixual

弱点扫瞄

弱点: Site does not enforce HTTPS

The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:

1. Open Wi-Fi Hotspots
2. WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
3. Malicious Wi-Fi access points
4. Compromised switches and routers
5. ARP poisoning on the same wired network

It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user’s browser.

• Severity: High
• Risk: Site does not enforce the use of HTTPS encryption, leaving the user vulnerable to man-in-the-middle attackers (who can falsify data and inject malicious code).
• Recommendation: Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS.

解决方法

说明

如果网站没有强制使用 https 加密，可能会因 DNS 劫持，或其它网络环境的安全因素，而遭受中间人攻击或旁观者攻击! 所以网站应该要申请 SSL 凭证，并强制将所有的网页通过 https 加密传输资料。

执行步骤

1. 自行申请 SSL 凭证。

2. 于网站的根目录建立一个 .htaccess 档案，档案内容:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

参考网页

• 如何解决 Web/Mail Server 使用了不安全的 SSL 通讯协定 | Vixual
• 如何解决 SSH Server 使用了不安全的加密算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160 | Vixual
• 如何解决 TLS/SSL 使用了不安全的加密算法: ARCFOUR、CBC、HMAC-MD5、HMAC-RIPEMD160 | Vixual
• Chromium - Marking HTTP As Non-Secure