HTTPS 如何防止重放攻击?
How does HTTPS prevent replay attacks?
发起 HTTPS 对话时,会生成一个随机数来创建交换密钥(或类似的东西)。我不明白的是这如何防止重放攻击。
为什么攻击者不能重复真实客户端发出的所有请求?
This answer claims it isn't possible, while this answer claims the opposite。除非涉及随机数,否则我看不出攻击怎么可能。
答案就在这里,由@Emirikol 提供:https://softwareengineering.stackexchange.com/a/194668/245162
HTTPS can be enough to secure the server from replay attacks (the same
message being sent twice) if the server is configured to only allow
the TLS protocol as per RFC 2246 section F.2.
这是通过使用消息验证码 (MAC) 完成的。
另见:https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail
发起 HTTPS 对话时,会生成一个随机数来创建交换密钥(或类似的东西)。我不明白的是这如何防止重放攻击。
为什么攻击者不能重复真实客户端发出的所有请求?
This answer claims it isn't possible, while this answer claims the opposite。除非涉及随机数,否则我看不出攻击怎么可能。
答案就在这里,由@Emirikol 提供:https://softwareengineering.stackexchange.com/a/194668/245162
HTTPS can be enough to secure the server from replay attacks (the same message being sent twice) if the server is configured to only allow the TLS protocol as per RFC 2246 section F.2.
这是通过使用消息验证码 (MAC) 完成的。
另见:https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail