Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web技術の基本 7回目 / Introduction to Web technologies...

muttan
April 24, 2018

Web技術の基本 7回目 / Introduction to Web technologies 7th class

muttan

April 24, 2018
Tweet

More Decks by muttan

Other Decks in Technology

Transcript

  1. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  2. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  3. WebγεςϜͷηΩϡϦςΟ • WebγεςϜ͸೔ʑൃୡ͠, ৽ͨͳػೳ͕௥Ճ͞ΕΔ ‣ ৽ػೳΛѱ༻ͯ͠߈ܸΛ࢓ֻ͚Δ͜ͱ͕ଟʑ͋Δ - ݸਓ৘ใΛҾ͖ൈ͘ - ແବʹෛՙΛ͔͚Δ

    • WebγεςϜΛӡ༻্͍ͯ͘͠Ͱ, ηΩϡϦςΟରࡦ͸ ඞਢࣄ߲ ‣ ৗʹ৽ͨͳ߈ܸख๏ʹ͍ͭͯΞϯςφΛష͓ͬͯ͘ඞ ཁ͕͋Δ
  4. WebγεςϜͷηΩϡϦςΟ • ιϑτ΢ΣΞͷΞοϓσʔτʹ͸, ੬ऑੑରࡦ͕੝Γࠐ ·Ε͍ͯΔ΋ͷ͕ଟ͍ ‣ ୯ʹػೳ௥ՃͰΞοϓσʔτ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍ ‣ WindowsͰ͋Ε͹, Widows

    UpdateͰఏڙ • اۀ͕੬ऑੑରࡦύονΛ഑෍͢ΔલʹϢʔβʔʹ߈ ܸΛ࢓ֻ͚ΔθϩσΠ߈ܸͱ͍͏ڴҖ΋ଘࡏ͢Δ ‣ Bashͷ੬ऑੑͰ͜Μͳͷ͕͋Γ·ͨ͠Ͷ WebγεςϜͷηΩϡϦςΟ ऴྃ
  5. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  6. ύεϫʔυΫϥοΩϯά(Dictionary Attack) • ຖ೥SplashData(ηΩϡϦςΟاۀ)͸ʮ࠷ѱͷύεϫʔυʯϥ ϯΩϯάΛൃද͍ͯ͠Δ • ࣍ͷΑ͏ͳ΋ͷ্͕Ґʹೖ͍ͬͯΔ ‣ 123456 ‣

    password ‣ welcome ‣ starwars ‣ 123123 • ͦͷଞ͸ҎԼ͔Β
 https://www.teamsid.com/worst-passwords-2017-full-list/
  7. ύεϫʔυΫϥοΩϯά(Dictionary Attack) • OWASPͷSecListsʹ͸, ϋοΫ͞ΕΔՄೳੑͷߴ͍ύε ϫʔυ΍IDͷϦετ͕ࡌ͍ͬͯΔ ‣ OWASP͸, The Open

    Web Application Security Projectͱ͍͏ηΩϡϦςΟؔ࿈ͷίϛϡχςΟ ‣ GitHub্ʹͰެ։͞Ε͍ͯΔ
 https://github.com/danielmiessler/SecLists
  8. ύεϫʔυΫϥοΩϯά(Dictionary Attack) ༨ஊ • ͋Δ೔, “Remove my password from lists

    so hackers won’t be able to hack me”ͱ͍͏Pull Request͕… ‣ ͋ΔϢʔβʔ͕ࣗ෼ͷύεϫʔυ͕ࡌ͍ͬͯΔ͜ͱ ʹযͬͯ, ࡟আͨ͠ϑΝΠϧͰPull RequestΛૹͬ ͨͬΆ͍ ‣ ίϝϯτཝ͕େتརձ৔ʹͳͬͯ·ͨ͠
 https://github.com/danielmiessler/SecLists/pull/155
  9. DOS߈ܸ(SYN Flood) • SYN Flood߈ܸ
 TCPͷίωΫγϣϯཱ֬ʹ࢖༻͢ΔSYNύέοτΛѱ༻ ͨ͠߈ܸ • ߈ܸํ๏ 1.

    SYNύέοτΛ߈ܸର৅ʹେྔʹૹΔ 2. SYN ACKύέοτ͕ฦͬͯ͘Δ 3. ͜ͷSYN ACKύέοτʹରͯ͠Ԡ౴Λ͠ͳ͍ - ߈ܸର৅ͷαʔό͸͠͹Β͘Ԡ౴Λ଴ͪଓ͚Δ
  10. DOS߈ܸ(SYN Flood) • Ԡ౴Λ଴ͭؒ, αʔό͸ϝϞϦΛফඅ͢Δ ‣ Ұ౓ʹେྔʹϦΫΤετΛૹΓϝϞϦΛେྔফඅ SYNύέοτ SYN ACKύέοτ

    SYNύέοτ SYN ACKύέοτ SYNύέοτ SYN ACKύέοτ SYNύέοτ 4:/"$,ύέοτΛฦ͢΋ͷͷ ͦΕҎ߱ͷ Ԡ౴͕ͳ͍ͷͰ΢ΣΠϋϯυγΣΠΫͷ్தঢ়ଶ Ͱ଴ͪଓ͚Δ αʔό͕৽͍͠4:/ύέοτʹରԠͰ͖ͳ͘ͳΓ  ผͷϢʔβʔ͕ΞΫηεͰ͖ͳ͘ͳΔ 4:/ύέοτΛେྔʹૹΔ
  11. ICMPͱ͸ • ICMPͷ༻్͸ओʹ2ͭ 1. Τϥʔ௨஌
 ܦ࿏ͷ్தͰΤϥʔ͕ൃੜͨ͜͠ͱΛૹ৴ݩʹ௨஌ 2. ৘ใরձ
 ૹ৴ݩͷϗετ͕ଞͷػثʹ৘ใΛ໰͍߹ΘͤΔ ‣

    ໨తIPϗετͷଘࡏ֬ೝ, ωοτϚεΫ, ࣌ࠁͳͲ • ͜ΕΒͷ৘ใ͸λΠϓͱίʔυͷ૊Έ߹ΘͤͰදݱ ‣ Ұ෦Λ঺հ
  12. ICMPͱ͸ λΠϓ ίʔυ ಺༰ छྨ   ΤίʔԠ౴ ৘ใরձ 

    Ѽઌ౸ୡෆೳ Τϥʔ௨஌  ѼઌωοτϫʔΫʹ౸ୡͰ͖ͳ͍  Ѽઌϗετʹ౸ୡͰ͖ͳ͍ ʜ   ૹ৴ݩ཈੍ʢύέοτͷૹग़཈੍௨஌ʣ Τϥʔ௨஌  ϦμΠϨΫτ Τϥʔ௨஌  ࢦఆωοτϫʔΫ΁ͷ࠷దܦ࿏௨஌  ࢦఆϗετ΁ͷ࠷దܦ࿏௨஌ ʜ   Τίʔཁٻ ৘ใরձ ʜ
  13. DOS߈ܸ(Smurf) • ICMPͱ͍͏ϓϩτίϧ͸ඇৗʹॏཁͰ͸͋Δ͕, ௨ৗ ϧʔλଆͰःஅ͍ͯ͠Δ͜ͱ͕ଟ͍ ‣ ߈ܸʹ࢖ΘΕΔ͜ͱ͕ଟ͍ͨΊ • ةͳ͍ͳΒશͯࢭΊͯ͠·͑͹ྑͦ͞͏ ‣

    IP௨৴͕શ͘Ͱ͖ͳ͘ͳΔ͜ͱ͸ͳ͍ ‣ ͕, ϒϥοΫϗʔϧϧʔλͷΑ͏ͳ͜ͱ΋ • ඞཁͳtypeͷΈ௨͢Α͏ͳઃఆΛ͢Δ΂͖ ύεϫʔυΫϥοΩϯά, DoS߈ܸ ऴྃ
  14. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  15. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • PHPͷ࣮૷ͰݟͯΈΔ(WikiΑΓҾ༻) <?php $template = 'blue.php'; if ( is_set(

    $_COOKIE['TEMPLATE'] ) ) $template = $_COOKIE['TEMPLATE']; include ( "/home/users/phpguru/templates/" . $template ); ?> 1)1ͷϓϩάϥϜ )551ϦΫΤετ GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd
  16. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • αʔόͷԠ౴͸࣍ͷΑ͏ʹͳΔ ‣ /etc/passwdͷத਎͕ݟ͑ͯ͠·͍ͬͯΔ HTTP/1.0 200 OK Content-Type: text/html

    Server: Apache root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh daemon:*:1:1::/tmp: phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh Ҿ༻ɿhttps://ja.wikipedia.org/wiki/σΟϨΫτϦτϥόʔαϧ • ͜ͷΑ͏ͳจࣈྻΛड͚෇͚ͳ͍Α͏ʹϓϩάϥϜଆ ͰνΣοΫ͢Δඞཁ͕͋Δ WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ ऴྃ
  17. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  18. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ JE VTFS@JE QBTTXPSE NBJM@BEES  :4%  :4%!FYBNQMFDPN VTFSTςʔϒϧ

    RVFSZ 1)1Λ૝ఆ $query = <<<EOL SELECT mail_addr FROM user WHERE user_id = '$user_id' AND password = '$password' EOL;
  19. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ RVFSZ 1)1Λ૝ఆ $query = <<<EOL SELECT mail_addr FROM user

    WHERE user_id = ‘1’ or ‘1’ = ‘1’; — ’ AND password = '$password' EOL; • ѱҙͷ͋ΔϢʔβʔ͕, ϑΥʔϜͷidཝʹʮ1’ or ‘1’ = ‘1’; —ʯͱॻ͘ͱϝʔϧΞυϨεΛऔಘͰ͖ͯ͠·͏ $query = SELECT mail_addr FROM user WHERE user_id = ‘1’ or ‘1’ = ‘1’;ͱಉ౳ → ৗʹWHERE͕۟TRUEʹͳΔ
  20. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ ΠϯδΣΫγϣϯରࡦ • จࣈྻ݁߹Λ࢖ͬͯSQLจΛ૊Έཱͯͳ͍ ‣ ΤεέʔϓॲཧΛ͔ͬ͠Γߦͳ͏ - ϓϨʔεϗϧμʔ, ม਺όΠϯυ, ϓϦϖΞʔ౓ε

    ςʔτϝϯτ ʢࢀߟʣSQLΠϯδΣΫγϣϯରࡦʹ͍ͭͯ
 https://www.ipa.go.jp/files/000024396.pdf ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ ऴྃ
  21. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  22. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • ੬ऑੑରࡦ৘ใσʔλϕʔεʹ͸ҎԼͷ৘ใ͕ܝࡌ ‣ ֓ཁ ‣ ਂࠁ౓ ‣ ରࡦ ‣

    ϕϯμ৘ใʢ੬ऑੑ΁ͷରԠঢ়گʣ ‣ CVEʢڞ௨੬ऑੑࣝผࢠʣ • JVNDBͱCVE͸Կ͕ҧ͏ͷ͔ʁ
  23. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • CVE(Common Vulnerabilities and Exposures)
 ڞ௨੬ऑੑࣝผࢠͱݺ͹ΕΔ΋ͷͰ, ΞϝϦΧͷMITRE ͕ࣾ࠾൪͍ͯ͠Δ੬ऑੑࣝผࢠͷ͜ͱ. ‣

    ੬ऑੑରࡦ৘ใσʔλϕʔεಉ༷, ੬ऑੑ৘ใ͕ެ։ ͞Ε͍ͯΔ(http://cve.mitre.org/) • JVN͸CVEޓ׵ೝఆΛड͚͍ͯΔ ‣ ੬ऑੑϖʔδͷԼͷํʹCVE΋ॻ͍ͯ͋Δ ࢀߟϦϯΫɿhttps://www.ipa.go.jp/security/vuln/CVE.html
  24. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  25. ϑΝΠΞʔ΢Υʔϧʢෆಛఆଟ਺޲͚ʣ ϑΝΠΞʔ΢Υʔϧ Webαʔό ϑΟϧλ৚݅ ʲڐՄʳ ํ޲ɿΠϯλʔωοτˠ಺෦ ૹ৴ݩ*1ΞυϨεɿ͢΂ͯ ૹ৴ݩϙʔτ൪߸ɿશͯ Ѽઌ*1ΞυϨεɿ8FCαʔόͷ*1ΞυϨε Ѽઌϙʔτ൪߸ɿ

     ʲڋ൱ʳ ্هҎ֎͢΂ͯ ڐՄ͞Εͨϙʔτʹ͔͠ΞΫηε Ͱ͖ͳ͍ͷͰ ߈ܸखஈ͕ݶΒΕΔ ߈ܸऀ 80ͱ443͸։͚͍ͯΔͷͰ, ͜͜΁ͷ߈ܸ͸ରࡦ͕ඞཁ ϑΝΠΞʔ΢Υʔϧ ऴྃ
  26. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  27. IDS, IPS • ϑΝΠΞʔ΢ΥʔϧͰ๷͖͗Εͳ͍߈ܸΛ๷͙खஈ ‣ IDS(Intrusion Detection System)
 ෆਖ਼ͳΞΫηεΛ؂ࢹ͠, ݕ஌͢Δͱ௨஌͢Δ

    ‣ IPS(Intrusion Prevention System)
 ෆਖ਼ͳΞΫηεΛ؂ࢹ͠, ݕ஌͢Δͱ௨஌͢Δͱͱ΋ ʹ௨৴Λःஅ͢Δ Πϯλʔωοτ ϑΝΠΞʔ΢Υʔϧ Webαʔό ωοτϫʔΫܕIDS/IPS
  28. IDS, IPS Webαʔό IDS ߈ܸऀ ҟৗΛݕ஌ Webαʔό IPS ߈ܸऀ ҟৗΛݕ஌

    *%4 *14 ௨৴Λ ःஅ͢Δ ௨৴͸ ͦͷ··௨͢
  29. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  30. WAF • WAF(Web Application Framework)
 WebΞϓϦέʔγϣϯͷલͰ, ѱҙͷ͋Δσʔλؚ͕· Ε͍ͯͳ͍͔νΣοΫ͢ΔϑΝΠΞʔ΢Υʔϧ ‣ IDS/IPSΛ࢖͏͜ͱͰ,

    DoS߈ܸ౳ʹ͸ର߅Ͱ͖Δ - ͔͠͠, SQLΠϯδΣΫγϣϯ΍XSS, ύϥϝʔλվ ͟ΜͳͲͷ߈ܸ͸๷͙͜ͱ͜ͱ͕Ͱ͖ͳ͍ͨΊ WAFΛ࢖༻͢Δ
  31. WAF • ෆਖ਼ΞΫηεͷݕ஌ʹ͸2ͭͷํ๏͕ଘࡏ͢Δ ‣ ϒϥοΫϦετܕ
 ಛఆͷύλʔϯʢϒϥοΫϦετʣͱরΒ͠߹Θͤͯѱҙͷ͋ Δ௨৴Λःஅ͢Δํ๏ - ৽ͨͳڴҖ͕ൃݟ͞Εͨ৔߹, Ϧετͷߋ৽͕͋Δ·Ͱରࡦ

    ෆՄೳ ‣ ϗϫΠτϦετܕ
 ਖ਼ৗͳύλʔϯʢϗϫΠτϦετʣͱরΒ͠߹ΘͤͯͦΕʹద ߹͢Δ௨৴ͷΈ௨͢ - ਖ਼ৗͳ௨৴Λ௨͢ઃఆΛਖ਼͘͠ઃఆ͢Δඞཁ͋Γ
  32. WAF F/W IDS/IPS WAF F/W IDS/IPS WAF ϒϥοΫϦετܕ ϗϫΠτϦετܕ ߈ܸऀ

    ߈ܸऀ 8"'ͷ։ൃݩ͔Βͷ ѱҙͷ͋ΔύλʔϯΛجʹর߹ ਖ਼ৗͳ௨৴ΛࣗΒͰఆٛͯ͠
 νΣοΫ WAF ऴྃ
  33. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  34. ௨৴ܦ࿏Ͱͷ҉߸Խ • Ϣʔβʔͱͷσʔλͷ΍ΓऔΓʹ͸, ౪ௌ͞ΕΔͱࠔΔ σʔλ΋ଘࡏ͢Δ ‣ ࢯ໊΍ॅॴͳͲͷݸਓ৘ใ ‣ ΫϨδοτΧʔυ৘ใͷΑ͏ͳػີ৘ใ •

    ͜ͷΑ͏ͳσʔλ͸ฏจͰૹΔ΂͖Ͱ͸ͳ͍ ‣ HTTPͰ͸ͳ͘HTTPSΛ࢖༻͢Δ ‣ HTTPSͰ΋WebαΠτͦͷ΋ͷ͕ѱ࣭ͳ΋ͷͩͱμ ϝͳͷͰ, ࢖͏લʹ1౓͔֬ΊΔʢͦΕ͸ͦ͏ʣ
  35. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  36. ެ։伴ূ໌ॻ • ެ։伴ূ໌ॻ͸, ೝূہ(CA:Certificate Authority)ͱݺ ͹ΕΔୈࡾऀػ͕ؔൃߦ͍ͯ͠Δ ‣ ঎༻͸༗ྉ͕ଟ͍͕, Let’s Encryptͱ͔ແྉͰ͢Ͷ

    • ূ໌ॻʹ͸༗ޮظݶ͕͋ΔͨΊ, ߋ৽࡞ۀ͕ඞཁ ‣ ߋ৽๨Ε͍ͯΔαΠτʹೖΔͱܯࠂ͕ग़Δϒϥ΢βͱ ͔͋Γ·͢ΑͶ • ࣗݾূ໌ॻʢΦϨΦϨূ໌ॻʣͬͯͷ΋͋Γ·͢ ‣ ͏ͪͷେֶͰ͢ ެ։伴ূ໌ॻ ऴྃ
  37. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  38. ೝূ • ೝূ
 ձһ੍αΠτͳͲͰ, IDͱύεϫʔυΛ࢖༻͠ຊਓ֬ೝ Λߦ͏ॲཧͷ͜ͱ ‣ ͔ͭͯೝূͱ͍͑͹, ֤αΠτ͝ͱʹIDͱύεϫʔυ ͕ඞཁͩͬͨ

    - ݱࡏͰ͸, Google΍Twitter, FacebookͳͲͷଞαʔ ϏεͷΞΧ΢ϯτΛ࢖༻͢Δ͜ͱͰೝূΛߦ͏αΠ τ͕૿Ճ
  39. ೝূ Webαʔό ར༻ऀʢϒϥ΢βʣ ར༻ ར༻ ར༻ ೝূ Google (PPHMFͷΞΧ΢ϯτͰ ೝূΛߦ͏

    WebαΠτ͝ͱͷೝূ͕ෆཁͳ͚ͩͰͳ͘, ϩάΠϯ৘ใΛѻ͏ඞཁ͕ͳ͍
  40. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  41. ೝՄʢOAuthʣ • OAuth
 αΠτΛ·͍ͨͩೝՄʢݖݶͷೝՄʣΛ࣮ݱ͢ΔͨΊʹ ඪ४Խ͞Εͨϓϩτίϧ ‣ ݖݶͷೝՄΛߦͳ͏͚ͩͰ, ೝূ͸ߦΘͳ͍ ‣ ୈࡾऀʹIDͱύεϫʔυΛ౉͢͜ͱແ͘֎෦αʔϏεΛ

    ར༻͢Δ͜ͱ͕Մೳ ‣ τʔΫϯΛൃߦ͢Δ͜ͱͰ, ͦͷτʔΫϯΛ࣋ͬͨΫϥ ΠΞϯτʹݖݶΛҕৡ͢Δ • OAuthͷཧղʹ͸4ͭͷ୯ޠΛ஌͍ͬͯΔඞཁ͕͋Δ
  42. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  43. CAPTCHA • CAPTCHA
 ΫϥΠΞϯτ͕ίϯϐϡʔλ͔ਓ͔Λ൑அ͢Δ΋ͷ ‣ Completely Automated Public Turing Test

    To Tell Computers and Humans Apart(ίϯϐϡʔλͱਓؒ Λ۠ผ͢ΔͨΊͷ׬શʹࣗಈԽ͞Εͨެ։νϡʔϦ ϯάςετʣͷུ
  44. CAPTCHA • จࣈͷಡΈऔΓ͚ͩͰ͸ͳ͘, ʮը૾ͷू߹ͷத͔Βࢦ ఆͨ͠छྨͷ΋ͷ͚ͩΛΫϦοΫ͢Δʯ΋ͷ΍, ʮύζ ϧͷϐʔεΛυϥοάͯ͠ਖ਼͍͠Ґஔʹ͸ΊΔʯͱ͍ͬ ͨΑ͏ͳ΋ͷ΋͋Δʢେม໘౗ʣ • Google͕։ൃͨ͠reCAPTCHAͰ͸ͦͷΑ͏ͳૢ࡞͕

    ෆཁʹ ‣ ඍົͳ৔߹͸ࠓ·ͰͷΑ͏ͳCAPTCHAͷ൑ఆΛߦ͏ ৔߹΋͋Δ Ҿ༻ɿhttps://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/103.html CAPTCHA ऴྃ