As more and more companies go digital, cybersecurity is forever going to be a concern to the world. Hackers are in every way doing all they can to ensure they compromise the integrity of your system. In the same manner, all hands must be on deck to ensure your organization or website is many steps ahead of them.

随着越来越多的公司实现数字化，网络安全将永远成为世界关注的问题。 黑客正在以各种方式竭尽所能，以确保它们损害了系统的完整性。 同样，所有人员必须齐心协力，以确保您的组织或网站领先许多步骤。

Over time, I have received questions from friends, colleagues, and readers on how best to secure a website from potential cyberattacks. The truth is that there are many answers to that question. But I’d rather focus on how to protect users from being victims of phishing attacks and data theft.

随着时间的流逝，我收到了来自朋友，同事和读者的有关如何最好地保护网站免受潜在网络攻击的问题。 事实是，这个问题有很多答案。 但是我宁愿专注于如何保护用户免受网络钓鱼攻击和数据盗窃的伤害。

In this article, we’ll look at how to ensure your website’s users are protected at all times, especially if your site accepts credit card information. Just as it is with most of my articles, I’ll be taking a practical approach to this.

在本文中，我们将研究如何确保您的网站用户始终受到保护，尤其是当您的网站接受信用卡信息时。 就像我的大多数文章一样，我将采用一种实用的方法。

I’ll show you how a seemingly unprotected website isn’t protecting its users through relatively inexpensive cybersecurity steps. Our target website this time is AllTheThings.com. You may want to check out the website as you read on. If you want to build a more robust system, you’ll find this very useful.

我将向您展示看似不受保护的网站如何无法通过相对便宜的网络安全步骤来保护其用户。 这次我们的目标网站是AllTheThings.com。 您可能想在继续阅读时查看该网站。 如果您想构建一个更强大的系统，将会发现它非常有用。

我们网站的主要网络威胁是什么？ (What Is The Major Cyber Threat of Our Website?)

The first thing in setting top security protocol is often to determine who you’re protecting your website against. Our target website, ATT, is currently under threat from a hacking group known simply as MGHC. But knowing their name is simply not enough, we need to understand MGHC’s tactics and attack strategies to mitigate them.

设置顶级安全协议的第一件事通常是确定要保护谁的网站。 我们的目标网站ATT目前受到一个名为MGHC的黑客组织的威胁。 但是仅仅知道他们的名字是远远不够的，我们需要了解MGHC的策略和攻击策略以减轻它们的影响。

Putting 100% effort into securing everything, all the time, is not realistic. If we know MGHC’s “M.O.,” we can secure the most probable target(s) first. For example, are they creating spoof websites that prey on common misspellings of the domain (AllTheThing.com, AllTehThings.com, AllTheThings.co, AlTheThings.com)?

始终不遗余力地确保所有事情的安全是不现实的。 如果我们知道MGHC的“ MO”，我们可以首先确保最可能的目标。 例如，他们是否正在创建欺骗域名的欺骗性网站(AllTheThing.com，AllTehThings.com，AllTheThings.co，AlTheThings.com)？

Are they scanning for open ports in the ATT (All The Things) ecosystem, trying to find access to the databases or holes in a web server? Are they phishing users with emails trying to get access to the system, with the plan of using SQL injection to elevate the rights for that compromised user to root?

他们是否正在扫描ATT(万物)生态系统中的开放端口，试图找到对数据库的访问或Web服务器中的漏洞？ 他们是否正在使用试图利用系统访问权的电子邮件来诱骗用户，并计划使用SQL注入来提高该受感染用户的root权限？

If they are doing all this, can we detect the IP addresses they are using to do this? And if so, can we block traffic from these IPs? Are they calling into the help desk pretending to be an aggrieved customer, then seducing the customer service agents to reset a password over the phone?

如果他们正在做所有这些事情，我们可以检测到他们正在使用的IP地址吗？ 如果是这样，我们可以阻止来自这些IP的流量吗？ 他们是在假装自己是受屈的客户时打电话到服务台，然后诱使客户服务代理通过电话重设密码吗？

Yes, it’s great to use strong cryptography and valid certificates, but if we lock the front door of the house with ten deadbolts but leave all the windows open, what is the point? Knowing their tactics and blocking them sends a message: “We know you are there, and we are ready to fight you.”

是的，使用强大的加密技术和有效的证书非常好，但是，如果我们用十个锁舌锁定房屋的前门，但将所有窗户都打开，那又有什么用呢？ 知道了他们的战术并阻止了他们，就会发出一条信息：“我们知道您在那里，我们已经准备好与您作战。”

如何实现证书颁发机构和加密 (How To Implement Certificate Authority And Encryption)

Now that we have limited the scope of the problem let’s talk about CA certs and encryption. The first step is to choose a Certificate Authority. After doing some research, we chose “Let’s Encrypt.” They are “new-ish” on the scene and have innovative ways of handling the issuing and managing certificates that seem promising.

现在我们已经限制了问题的范围，让我们来谈谈CA证书和加密。 第一步是选择一个证书颁发机构。 经过研究后，我们选择了“让我们加密”。 它们在现场是“新奇的”，并具有创新的方式来处理签发和管理似乎很有希望的证书。

Let’s Encrypt provides X.509 certificates for TLS encryption for free. The certificate is valid for only 90 days but can be renewed at any time. They also offer site owners an automated process of overcoming the manual creation, validation, signing, installation, and renewal of certificates for secure websites.

让我们加密免费提供用于TLS加密的X.509证书。 该证书的有效期仅为90天，但可以随时续签。 它们还为站点所有者提供了一种自动过程，该过程克服了手动创建，验证，签名，安装和更新安全网站证书的过程。

I like this strategy to certificate validation. It forces the admins to renew in a timely fashion, and the automation reduces the chance that human error will create a vulnerability. To use Let’s Encrypt, we set up a server to run the ACME client as a bot (like CertBot) that handles the challenge-response needed to validate site ownership and the creation of the site’s keys.

我喜欢这种策略来进行证书验证。 它迫使管理员及时更新，并且自动化减少了人为错误造成漏洞的机会。 为了使用“让我们加密”，我们设置了一个服务器来将ACME客户端作为机器人运行(例如CertBot)，该机器人处理验证站点所有权和创建站点密钥所需的质询响应。

One added feature in Let’s Encrypt framework that I am very excited about is their promise to implement Elliptic-curve cryptography by using an Elliptic Curve Digital Signature Algorithm. The core benefits being that ECDSA is just as hard to break (if not harder) than RSA but requires much smaller keys. The net benefit is faster websites since the cryptologic communications take less time.

我非常兴奋的“让我们加密”框架中的一项附加功能是他们承诺通过使用椭圆曲线数字签名算法来实现椭圆曲线密码学。 核心好处是ECDSA与RSA一样难以破解(即使不是更难破解)，但需要的密钥要小得多。 净收益是网站速度更快，因为密码通信花费的时间更少。

To recap, once ownership is verified with multiple challenges, the CertBot communicates with the Let’s Encrypt Server to create RSA key pairs. These sets of key pairs are used to communicate in an encrypted fashion onward. The CA certificate is sent to the ATT server through this channel. Installation is automated by the CertBot running of the ATT server.

回顾一下，一旦所有权受到多重挑战验证，CertBot将与Let's Encrypt Server通信以创建RSA密钥对。 这些密钥对集用于以加密方式向前通信。 CA证书通过此通道发送到ATT服务器。 ATT服务器的CertBot运行会自动进行安装。

如何缓解已知威胁？ (How To Mitigate Against Known Threat?)

Mitigation Begins with Planning. Now that we have an imaginary threat assessment in place (we’re fast right?) we can do a few things right off the bat to make sure we reduced the scope of the problem by limiting the attack vectors and neutralizing popular kill chain events.

缓解始于计划。 现在我们已经有了一个虚构的威胁评估(我们很快吗？)，我们可以立即做一些事情来确保我们通过限制攻击媒介并抵消流行的杀伤链事件来缩小问题的范围。

#1. Limit the IP addresses ATT resolves to

＃1。 限制ATT解析的IP地址

If we don’t sell outside the US, we can block all non-US IPs. We can also block the IP addresses of known threat actors through automation. This doesn’t stop MGHC; it just makes the task of hiding themselves a little more annoying. The harder we make them work, the more likely they are to attack someone else. Usually, this work is done by implementing a strong Firewall, but sometimes specialized hardware is required to protect against DDoS attacks.

如果我们不在美国境外销售，我们可以阻止所有非美国IP。 我们还可以通过自动化来阻止已知威胁参与者的IP地址。 这并不能阻止MGHC； 这只会使隐藏自己的任务更加烦人。 我们越努力使他们工作，他们攻击他人的可能性就越大。 通常，这项工作是通过实现强大的防火墙来完成的，但是有时需要专用的硬件来防御DDoS攻击。

#2. Use only certain versions of Browsers (for each flavor of Browser) along with a very strict rule on the version of TLS the website supports

＃2。 仅使用某些版本的浏览器(针对每种浏览器)以及网站支持的TLS版本的非常严格的规则

While this might cause us to lose certain traffic from people with old Browsers, it is a business/security trade-off. An additional strategy is to enable HTTP Public Key Pinning (HPKP). This ensures that we select and pin the version of the CA cert used by the Browser.

虽然这可能会导致我们失去使用旧版浏览器的用户的某些流量，但这是业务/安全性的折衷方案。 另一种策略是启用HTTP公钥固定(HPKP) 。 这样可以确保我们选择并固定浏览器使用的CA证书的版本。

#3. Buy up the misspellings and common variations of the domain

＃3。 购买域名的拼写错误和常见变体

Think of how easy it could be to fool people who are not paying attention to their Browsers address bar. This is especially so if the attacker has SEO’d the misspellings or is using social media ads or phishing to lure people unto a fake site. And if the attackers can get a valid CA cert for a misspelled domain, game over.

想一想，愚弄那些不注意浏览器地址栏的人是多么容易。 如果攻击者使用SEO拼写错误或使用社交媒体广告或网络钓鱼诱使人们进入假网站，则尤其如此。 并且，如果攻击者可以为拼写错误的域获取有效的CA证书，请结束游戏。

#4. Register domain names for foreign extensions and alternate spellings with Cyrillic characters

＃4。 用西里尔字母注册外国扩展名和备用拼写的域名

One of the lesser-known attacks is creating a site with a domain that switches some of the vowels with Cyrillic characters, that are indistinguishable from Latin characters by most browsers. One researcher did this with apple.com, replacing the “a” with a Cyrillic а, and getting a valid CA cert for apple.com.

鲜为人知的攻击之一是创建一个站点，该站点的域可以切换某些带有西里尔字符的元音，而大多数浏览器无法将它们与拉丁字符区分开。 一位研究人员使用apple.com进行了此操作，用西里尔字母代替“ a”，并获得了apple.com的有效CA证书。

#5. Educate users on what to look for

＃5。 教育用户寻找的内容

At the top of the browser, a periodical banner pointing out the green lock and what it means might be ignored by 80% of the traffic. Still, it is just another attempted to teach the user about the security features in their browser and how we are keeping them safe. Educated consumers are worth more than their weight in gold.

在浏览器顶部，周期性的横幅广告指出绿色锁定及其含义，可能被80％的流量忽略。 尽管如此，这只是向用户传授其浏览器中的安全功能以及我们如何确保其安全的另一种尝试。 受过教育的消费者比他们的黄金重量更有价值。

#6. Use cache-busting techniques

＃6。 使用缓存清除技术

This is to make sure that the cached version of the home page and other important pages are retrieved directly from the server to prevent cache poisoning attacks. Writing Cache Busting code is fairly simple, but the benefits are enormous.

这是为了确保可以直接从服务器检索主页和其他重要页面的缓存版本，以防止缓存中毒攻击。 编写缓存清除代码非常简单，但是好处却是巨大的。

#7. Monitor the DNS Server(s) for DoS, DDoS, DNS amplification and Fast flux attacks

＃7。 监视DNS服务器以进行DoS，DDoS，DNS放大和快速流量攻击

Another popular way of diverting traffic to a fake site is by taking down the DNS Server tampering with the routing. If the DNS server is down, then the main site should shut down, and users should be alerted. Fast Flux is a more sophisticated DNS attack that is harder to detect or stop.

将流量转移到假站点的另一种流行方法是通过删除篡改路由的DNS服务器。 如果DNS服务器已关闭，则主站点应关闭，并应向用户发出警报。 快速通量是一种更复杂的DNS攻击，很难检测或阻止。

The most effective countermeasure against a Fast Flux attack is to shut down the domain (which may not be possible if it has been severely compromised). DoS and DNS attacks are hard to defend against, but if we take item 1 seriously, we could reduce the threat by at least 50%.

防止Fast Flux攻击的最有效对策是关闭域(如果它已受到严重破坏，则可能无法实现)。 DoS和DNS攻击很难防御，但是如果我们认真对待第1项，则可以至少减少50％的威胁。

Depending on industry-specific threats, we may be able to do a lot more (Training for Customer Service, Machine Learning Algorithms scanning the network, Threat Hunting base on APT reports), but this is a good first step. Now that we have “shut all the windows,” we can build a better lock for the “front door,” our CA certificate.

根据特定行业的威胁，我们也许可以做更多的事情(客户服务培训，机器学习算法扫描网络，基于APT报告的威胁搜寻)，但这是一个很好的第一步。 现在，我们已经“关闭了所有窗户”，我们可以为CA证书的“前门”建立一个更好的锁。

如何保护用户的信用卡信息？ (How To Protect Users Credit Card Information?)

Protecting credit cards is very important, and needs to be secured from the prying eyes of MGHC. The easiest way to do this is to ensure that the communication between the server and the user is private and encrypted. We can achieve this by creating encrypted sessions using TLS.

保护信用卡非常重要，需要从MGHC的撬动眼中加以保护。 最简单的方法是确保服务器和用户之间的通信是私有的并且经过加密。 我们可以通过使用TLS创建加密的会话来实现。

Previously known as SSL (Secure Socket Layer), TLS (Transport Layer Security) 1.3 is the latest and greatest. The TLS protocol has two layers, which are the TLS handshake protocols and the TLS record. MGHC might be watching the traffic on the network. Still, we can make everything they see gibberish if we execute a proper TLS handshake, exchange symmetrical keys, and encrypt the communication between the server and the user with these keys.

TLS(传输层安全性)1.3以前称为SSL(安全套接字层)，是最新的也是最大的。 TLS协议具有两层，分别是TLS握手协议和TLS记录。 MGHC可能正在监视网络上的流量。 但是，如果我们执行适当的TLS握手，交换对称密钥并使用这些密钥加密服务器与用户之间的通信，则可以使他们看到的一切变得混乱。

Understanding how TLS works is great, but understanding how attackers bypass it is better. There are too many TLS attacks to discuss here. Still, they include; Renegotiation attack, Downgrade attacks: FREAK attack and Logjam attack, Cross-protocol attacks: DROWN, BEAST attack, CRIME, and BREACH attacks, Timing attacks on padding, and POODLE attack.

了解TLS的工作原理很棒，但了解攻击者如何绕过它更好。 这里讨论的TLS攻击太多。 尽管如此，它们包括： 重新协商攻击，降级攻击：FREAK攻击和Logjam攻击，跨协议攻击：DROWN，BEAST攻击，CRIME和BREACH攻击，填充定时攻击和POODLE攻击。

Others are RC4 attacks, Truncation attack, Unholy PAC attack, Sweet32 attack, and Implementation errors, including the Heartbleed bug, BERserk attack, and Cloudflare bug. Many of these issues have been fixed or mitigated against, except for the Protocol Downgrade.

其他包括RC4攻击，截断攻击，邪恶的PAC攻击，Sweet32攻击和实现错误，包括Heartbleed错误，BERserk攻击和Cloudflare错误。 除协议降级外，许多问题已得到解决或缓解。

20% of all sites are still vulnerable to this attack. Much of the risk in using TLS is executing the initial handshake. While most sites can be protected by simply enforcing the highest version of TLS that they can afford.

所有站点中仍有20％仍然容易受到此攻击。 使用TLS的大部分风险是执行初始握手。 虽然大多数站点可以通过简单地实施他们可以负担的最高版本的TLS来保护。

There is exciting and interesting research going on that will make TLS handshakes secure. It would be secure even against quantum computing attacks, namely Supersingular isogeny key exchange. As the research continues, there is an accessible library published by Microsoft on GitHub along with a Java implementation by an independent engineer.

正在进行令人兴奋且有趣的研究，这将使TLS握手更安全。 即使抵御量子计算攻击，即超奇异质密钥交换，它也将是安全的。 随着研究的继续，微软在GitHub上发布了一个可访问的库，以及独立工程师的Java实现。

However, I see an opportunity here. SIDH may work better if implemented as a State Machine. I have started a project that involves converting one of the above libraries to Python. I intend to implement the key exchange using AWS Step Functions (a Serverless State Machine) that calls out to a mesh of Lambda Functions (Serverless Stateless Anonymous Functions. All inside of an encrypted firewalled virtual private cloud (VPC).

但是，我在这里看到了机会。 如果作为状态机实施，SIDH可能会更好地工作。 我已经启动了一个项目，其中涉及将上述库之一转换为Python。 我打算使用AWS Step Functions (无服务器状态机)来实现密钥交换，该功能调用Lambda函数 (无服务器无状态匿名功能)的网格。所有这些功能都在加密的防火墙虚拟私有云(VPC)内部。

This would make SIDH usable and highly interoperable, requiring no installation, just the permission to access the Service Mesh via a kind of SAML authentication. You can check it on GitHub as well.

这将使SIDH可用且高度可互操作，无需安装，只需通过一种SAML身份验证访问服务网格的权限即可。 您也可以在GitHub上进行检查 。

更多常识性的缓解措施来保护信用卡 (More Common Sense Mitigation to Protect Credit Cards)

Once TLS is implemented and fortified, we can take a few more common-sense steps to protect the user’s credit card:

一旦实施并加强了TLS，我们可以采取一些常识性的步骤来保护用户的信用卡：

1. Obfuscate the credit card number on the page with **** after it’s entered.

   输入信用卡号后，在页面上用**** 混淆 。

2. Make sure the credit card number isn’t saved in the cache if the user navigates away from the payment page.

   如果用户离开付款页面， 请确保信用卡号未保存在缓存中 。

3. Create a timer on the payment page, so attacks that require more time will fail.

   在付款页面上创建一个计时器 ，这样需要更多时间的攻击将失败。

4. Require login and two-factor authentication before a user can make a payment, and lock the account of a user with too many failed password attempts.

   用户需要先登录并进行两步验证，然后用户才能付款 ，并使用太多失败的密码尝试锁定用户的帐户。

5. Disable copy and paste in sensitive fields to prevent malicious CSS from stealing card numbers.禁止复制和粘贴敏感字段，以防止恶意CSS窃取卡号。
6. Obfuscate the id of the fields in CSS and HTML tags. This destroys the ability for a user to use autofill, but it also reduces the chances of a malicious plug-in seeing these fields and scraping them.混淆CSS和HTML标记中字段的ID。 这破坏了用户使用自动填充的能力，但同时也减少了恶意插件看到这些字段并将其抓取的机会。
7. Require the user to save payment details instead of entering them repeatedly for consecutive purchases. The less we force users to expose the credit card, the better.要求用户保存付款详细信息，而不是重复输入以进行连续购买。 我们强迫用户暴露信用卡的次数越少越好。

8. Using a payment processor like PayPal, GooglePay, AmazonPay, VisaPay, MastercardPay, or Bolt. These third-party tools cost money, but they reduce risk by not requiring the user to enter their credit card number and shift the liability for fraud to the payment processor.

   使用付款处理器，例如PayPal，GooglePay，AmazonPay，VisaPay，MastercardPay或Bolt。 这些第三方工具需要花钱，但是它们通过不要求用户输入信用卡号并将欺诈责任转移给支付处理器来降低风险。

结论 (Conclusion)

Cybersecurity is one of the primary concerns of every organization. The truth is that these attacks are endless as hackers are not relenting. However, it is the sole responsibility of website owners, and organizations to protect the integrity of their users’ information from cyberattacks. The steps listed in this article will be very useful to mitigate such attacks and increase the security of your websites.

网络安全是每个组织的主要关注之一。 事实是，这些攻击无休止，因为黑客没有放松。 但是，这是网站所有者和组织的唯一责任，是保护其用户信息的完整性不受网络攻击。 本文列出的步骤对于减轻此类攻击并提高网站的安全性非常有用。