问题
Quick question. Does SSL totally prevent session hijacking/fixation? Thanks.
回答1:
No. Hijacking may be done for example in these scenarios:
- Hacked CA root signs invalid certificates. The certificate may be used to stage man-in-the-middle attacks.
- Hacked domain owner e-mail inbox makes it possible for the hacker to buy a domain-validated certificate.
- Bad key policies may make it possible for an attacker to gain the private key for the certificate.
- A local attack on the client computer may make it possible to see what's going on in the system, including reading session cookies, intercepting SSL traffic, injecting false CA root certificates in the systems keychain and so on.
- An intrusion by an attacker on the server may be used in any number of ways to intercept traffic, reroute packets or read important system files.
- The client library must validate the SSL certificate and deny sessions with invalid or expired certificates, otherwise it's as trivial to intercept the HTTP traffic as if it where in plain text.
- It may be possible with an XSS attack which gives the cookie away. Web browsers should try to protect against this but you never know if all components works as expected.
来源:https://stackoverflow.com/questions/10801916/ssl-and-session-hijacking-fixation