第三方 SDK 的信任问题 #3358
Merged
第三方 SDK 的信任问题 #3358
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
update At 15/10/2017
根据两位校对完成了修改
Closed
|
校对认领 |
|
@hanliuxin5 好的呢 🍺 |
hanliuxin5
reviewed
Mar 4, 2018
TODO/trusting-sdks.md
Outdated
|
|
||
| **31%** of the most popular closed-source iOS SDKs are vulnerable to this attack, as well as a total of **623 libraries** on CocoaPods. As part of this research I notified the affected parties, and submitted patches to CocoaPods to warn developers and SDK providers. | ||
| 在最热门的闭源 iOS SDK 中,**31%**的 SDK 和 CocoaPods 中的 **623个库** 对于这种攻击是没有抵抗力的。 作为研究的一部分,我通知了被影响的组织,并向 CocoaPods 提交了补丁,来提醒开发者和 SDK 提供者们。 |
TODO/trusting-sdks.md
Outdated
|
|
||
| ### HTTPs vs HTTP | ||
|
|
||
| **HTTP**: Unencrypted traffic, anybody in the same network (WiFi or Ethernet) can easily listen to the packets. It’s very straightforward to do on unencrypted WiFi networks, but it’s actually almost as easy to do so on a protected WiFi or Ethernet network. There is no way for your computer to verify the packets came from the host you requested data from; Other computers can receive packets before you, open and modify them and send the modified version to you. | ||
| **HTTP**: 未加密信息,任何位于同一网络(WiFi 或以太网)的人都可以轻易地监听网络包。在未加密的 WiFi 网络上这样监听的方法非常简单直观,而实际上在受保护的 WiFi 或以太网上依然是同样简单的。你的计算机不会去验证你所请求数据的主机的网络包;其它的计算机可以在你之前接收包裹,打开并修改它们,之后再将更改过的版本发送给你。 |
TODO/trusting-sdks.md
Outdated
|
|
||
| > If you’re interested, you can learn how the OSI (Open Systems Interconnection) model works, in particular the implementation TCP/IP (e.g. [http://microchipdeveloper.com/tcpip:tcp-ip-five-layer-model](http://microchipdeveloper.com/tcpip:tcp-ip-five-layer-model)). | ||
| > 如果你对此感兴趣,你可以学习 OSI 模型是如何工作的,特别是在实习 TCP/IP 协议时 (例如 [http://microchipdeveloper.com/tcpip:tcp-ip-five-layer-model(tcp/ip 五层模型)](http://microchipdeveloper.com/tcpip:tcp-ip-five-layer-model))。 |
TODO/trusting-sdks.md
Outdated
|
|
||
| Simplified, the devices in a network use ARP mapping to remember where to send packets of a certain MAC address. The way ARP works is simple: if a device wants to know where to send a packet for a certain IP address, it asks everyone in the network: “Which MAC address belongs to this IP?”. The device with that IP then replies to this message ✋ | ||
| 简单来讲,网络中的设备利用 ARP 映射来记住去将含有特定 MAC 地址的网络包送到哪里。ARP 的工作原理很简单:如果一个设备知道该一个网络包所应送入的 IP 地址,它就会询问网络中的所有人:“这个 MAC 地址应该与哪个 MAC 地址对应?”拥有那个 IP 地址的设备就会回复该信息 ✋ |
There was a problem hiding this comment.
应该与哪个 MAC 地址对应? 应该与哪个 IP 地址对应?"。
TODO/trusting-sdks.md
Outdated
|
|
||
| **Note**: the technique described above is different from what you might have read about the security issues with public WiFi networks. Public WiFis are a problem because everybody can just read whatever packets are flying through the air, and if they’re unencrypted HTTP, it’s easy to read what’s happening. ARP pollution works on any network, no matter if public or not, or if WiFi or ethernet. | ||
| **注意**: 上面所述的技术与你可能读过的公共 WiFi 安全问题是不同的。公共 WiFi 的问题在于任何人都可以读取在空中传送的网络包,如果这些网络包是没有加密的 HTTP,那么很容易就解读出正在发生的事情。 ARP 污染作用于所有的网络,无论是公共与否,WiFi 还是以太网。 |
TODO/trusting-sdks.md
Outdated
| * The local government forces the company to include back-doors | ||
| * The company providing the SDK is evil and includes code & tracking you don’t want | ||
| * 攻击者获取了 SDK 下载服务器的权限 | ||
| * 提供 SDK 的公司与他人妥协 |
TODO/trusting-sdks.md
Outdated
| * 攻击者获取了 SDK 下载服务器的权限 | ||
| * 提供 SDK 的公司与他人妥协 | ||
| * 当地政府强制公司包含后门 | ||
| * 提供 SDK 的公司本身有不良意图,并包含了你不想要的追踪代码 |
TODO/trusting-sdks.md
Outdated
|
|
||
| **You are responsible for the binaries you ship!** You have to make sure you don’t break your user’s trust, European Union data protection laws ([GDPR](https://www.eugdpr.org/)) or steal the user’s credentials via a malicious SDK. | ||
| **你应该对你传送的代码负责!** 你应该保证你没有辜负用户对你的信任,以及欧盟的数据保护法([GDPR](https://www.eugdpr.org/))或通过病毒 SDK 偷取用户的凭据。 |
TODO/trusting-sdks.md
Outdated
|
|
||
| **You are responsible for the binaries you ship!** You have to make sure you don’t break your user’s trust, European Union data protection laws ([GDPR](https://www.eugdpr.org/)) or steal the user’s credentials via a malicious SDK. | ||
| **你应该对你传送的代码负责!** 你应该保证你没有辜负用户对你的信任,以及欧盟的数据保护法([GDPR](https://www.eugdpr.org/))或通过病毒 SDK 偷取用户的凭据。 |
TODO/trusting-sdks.md
Outdated
|
|
||
| Unless otherwise mentioned in the post, those projects are side projects which I work on on weekends and evenings, and are not affiliated with my work or employer. | ||
| 除非在文章中特别提到,否则这些项目皆为我利用周末及晚上的时间来完成的业余项目,与我所做的工作和雇员无关。 |
|
@CACppuccino 来修改啦 |
CACppuccino
commented
Mar 12, 2018
TODO/trusting-sdks.md
Outdated
| * 激活管理员账户的远程 SSH 权限 | ||
| * 安装键盘记录器来获取管理员密码 | ||
| * 使用密码来解密 keychain,并将所有登录凭据传送至远程服务器 | ||
| * 获取本地机密,如 AWS 凭据,CocoaPods 和 RubyGems 的上传令牌还有 |
There was a problem hiding this comment.
下一行应该是在说“”还有的内容”,因为那行有一个缩进
leviding
approved these changes
Mar 12, 2018
|
@CACppuccino 已经 merge 啦~ 快快麻溜发布到掘金然后给我发下链接,方便及时添加积分哟。 掘金翻译计划有自己的知乎专栏,你也可以投稿哈,推荐使用一个好用的插件。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
译文翻译完成,resolve #3313
PR的commits有些问题,不过其它的正常