12:17 Intercepting passwords | |
| Category:organizational, operational. Interception of passwords can be made when transferring it from the user to the server, it solved the mandatory use of a secure connection (https, ftps) when working with the server. I remember Sergei Ryzhikov, speaking on Hayloade or Rita (do not remember), someone asked from the present goes to admin over a secure connection, and in return was raised not too many hands. From what we can conclude that walk through some of the conference with wi-fi sniffer can little to transform runet.Krome of possible theft, using so-called "phishing" site, ie site user's browser is replaced with an identical, after entering data into the login form, enters a password to an attacker, in this case is important to have "signed certificate site. When using such a certificate, a special company (eg http://verisign.com), confirms that this is indeed the site, which is expected, besides the signed certificate, certify the same and the user site (which is important, such as payment) . This service costs about $ 800 per year (the cost affects the level of protection and ownership of the company, a provider of services) I always amaze organizations that are lazy to make a normal certificate, especially in this plan touches webmoney. Thank God, now they honored to do the normal certificate, but a month ago, I honestly cheated by the fact that the browser complains to the site on which I, among other things, the money derzhu.Ko all other self-signed certificates can cause various minor bugs: for example, refuses to work with a bunch of IE + Flash. I killed a lot of time figuring out why stopped working on prodakshene multizagruzchik, which at the same time quietly worked himself to the test server. | |
|
| |
| Total comments: 0 | |